wip: alloy

.forgejo/workflows/lint.yaml

@@ -10,7 +10,7 @@ jobs:
     name: Ansible Lint
     runs-on: docker
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@v5
       - name: Install pip
         run: |
           apt update
@@ -24,7 +24,7 @@ jobs:
       # work in our environmnet.
       # Rather manually setup python (pip) before instead.
       - name: Run ansible-lint
-        uses: https://github.com/ansible/ansible-lint@v26.1.1
+        uses: https://github.com/ansible/ansible-lint@v25.11.0
         with:
           setup_python: "false"
           requirements_file: "requirements.yml"

.sops.yaml

@@ -33,25 +33,15 @@ keys:
         - &host_public_reverse_proxy_ansible_pull_age_key age1p7pxgq5kwcpdkhkh3qq4pvnltrdk4gwf60hdhv8ka0mdxmgnjepqyleyen
         - &host_zammad_ansible_pull_age_key age1sv7uhpnk9d3u3je9zzvlux0kd83f627aclpamnz2h3ksg599838qjgrvqs
         - &host_ntfy_ansible_pull_age_key age1dkecypmfuj0tcm2cz8vnvq5drpu2ddhgnfkzxvscs7m4e79gpseqyhr9pg
-    external:
-      age: &host_external_age_keys
-        - &host_status_ansible_pull_age_key age1yl9ts8k6ceymaxjs72r5puetes5mtuzxuger7qgme9qkagfrm9hqzxx9qr
 creation_rules:
-  ## group vars
+  # group vars
   - path_regex: inventories/chaosknoten/group_vars/all.*
     key_groups:
       - pgp:
           *admin_gpg_keys
         age:
           *host_chaosknoten_age_keys
-  - path_regex: inventories/external/group_vars/all.*
+  # host vars
-    key_groups:
-      - pgp:
-          *admin_gpg_keys
-        age:
-          *host_external_age_keys
-  ## host vars
-  # chaosknoten hosts
   - path_regex: inventories/chaosknoten/host_vars/cloud.*
     key_groups:
       - pgp:
@@ -160,14 +150,6 @@ creation_rules:
           *admin_gpg_keys
         age:
           - *host_public_reverse_proxy_ansible_pull_age_key
-  # external hosts
-  - path_regex: inventories/external/host_vars/status.*
-    key_groups:
-      - pgp:
-          *admin_gpg_keys
-        age:
-          - *host_status_ansible_pull_age_key
-  # z9 hosts
   - path_regex: inventories/z9/host_vars/dooris.*
     key_groups:
       - pgp:

inventories/chaosknoten/group_vars/all.sops.yaml

@@ -1,5 +1,4 @@
 msmtp__smtp_password: ENC[AES256_GCM,data:xcBVBTb6mfr5Ubyfga9ibKWKhrfrEEaDWD98vIbX8fl8lQ4YTovg8Ax1HTK4UQ6AkJGHq2A0D5B67KUTlp9eLw==,iv:TOp1G1LktRPj/KMCRU5CXBUsgKOqGssUvvk5oY0QnPM=,tag:SVBdDQy+fM0xeEToappP+A==,type:str]
-metrics__chaos_password: ENC[AES256_GCM,data:al234VSAH7oxka8X0hTvEJKVLD6O/WCrCKfVLLvm,iv:+TmA+0hXMV4OxvK7RH2g1dIzm88Lpm3zevxSZxK23QQ=,tag:txCVr5SEW3dVHgNFInR94g==,type:str]
 sops:
   age:
     - recipient: age1ss82zwqkj438re78355p886r89csqrrfmkfp8lrrf8v23nza492qza4ey3
@@ -164,8 +163,8 @@ sops:
         SnUrSUlvMXhnY3JrbER0TkxBcGJucmsKdBDkRY5FUtOo8zQ0QtfPFGJn0O2Fg5xn
         mSloxLaFwdXAR9L1QfUdsW+9Vgez4s5bxMJtn8hkwqIfyJc25FEEcA==
         -----END AGE ENCRYPTED FILE-----
-  lastmodified: "2026-01-25T18:06:26Z"
+  lastmodified: "2025-10-13T23:45:06Z"
-  mac: ENC[AES256_GCM,data:plHNLOgGWwNWbakKG6X5EOxwERE3rvYO4EOAzY/sz+uM7cZBEnqU5LZwjlD8B75hgRHqpnDBF0JbHgsEwVxfJJRL1phkeMJFOapQMjZVWMz6j7eb1hOwpdktd+bpuimy4XCD1aOxOoInKpFSK33usxLfyqSxjFDM5+i6D22qBTs=,iv:/iOIfNuSIDsa/UKLP0d63tpOrYMFO3Bk1qPssY0AzuI=,tag:k+824MXD+r0lNUcuvisudw==,type:str]
+  mac: ENC[AES256_GCM,data:QxH4lnNyCAAEJhzbgCrq7QeLs+OAtYgwQP4oFm93NE4Fbz7/Hz2dvL/2SopOdW7nYVeb1scuG1ra+yvgzuQDhg4lcgt9eBJoBiynM3qiHBs+FtcSJoKs16I/ACAadQwClALb4E0xxwKFJI8ewMZu5BAxi5EhYbgNfnKCIbhvgWo=,iv:LRa2vX0HUBugeEAVeOqXbPsMQrfrCpyzGUGjK6+VaQc=,tag:/sfhJM8V1IYBh94ZS/TDxQ==,type:str]
   pgp:
     - created_at: "2025-10-20T19:03:07Z"
       enc: |-
@@ -361,4 +360,4 @@ sops:
         -----END PGP MESSAGE-----
       fp: 878FEA3CB6A6F6E7CD80ECBE28506E3585F9F533
   unencrypted_suffix: _unencrypted
-  version: 3.11.0
+  version: 3.10.2

inventories/chaosknoten/group_vars/all.yaml

@@ -3,7 +3,7 @@
 ansible_pull__repo_url: https://git.hamburg.ccc.de/CCCHH/ansible-infra.git
 ansible_pull__inventory: inventories/chaosknoten
 ansible_pull__playbook: playbooks/maintenance.yaml
-ansible_pull__timer_on_calendar: "*-*-* 04:30:00 Europe/Berlin"
+ansible_pull__timer_on_calendar: "*-*-* 04:00:00 Europe/Berlin"
 ansible_pull__failure_notification_address: noc-notifications@lists.hamburg.ccc.de
 ansible_pull__timer_randomized_delay_sec: 30min
 

inventories/chaosknoten/host_vars/grafana.yaml

@@ -53,7 +53,16 @@ nginx__configurations:
   - name: metrics.hamburg.ccc.de
     content: "{{ lookup('ansible.builtin.file', 'resources/chaosknoten/grafana/nginx/metrics.hamburg.ccc.de.conf') }}"
 
-alloy_config_additional: |
+alloy_config: |
+  prometheus.remote_write "default" {
+    endpoint {
+      url = "https://metrics.hamburg.ccc.de/api/v1/write"
+      basic_auth {
+        username = "chaos"
+        password = "{{ secret__metrics_chaos }}"
+      }
+    }
+  }
   loki.write "default" {
     endpoint {
       url = "https://loki.hamburg.ccc.de/loki/api/v1/push"
@@ -89,9 +98,9 @@ alloy_config_additional: |
     }
     rule {
       source_labels = ["__journal__hostname"]
-      target_label = "instance"
+      target_label = "host"
       regex  = "([^:]+)"
-      replacement = "${1}.hosts.hamburg.ccc.de"
+      replacement = "${1}.hamburg.ccc.de"
       action = "replace"
     }
   }
@@ -102,3 +111,30 @@ alloy_config_additional: |
     format_as_json = true
     labels        = {component = "loki.source.journal", org = "ccchh"}
   }
+
+  logging {
+    level = "info"
+  }
+  prometheus.exporter.unix "local_system" {
+    enable_collectors = ["systemd"]
+  }
+
+  prometheus.relabel "default" {
+    forward_to = [prometheus.remote_write.default.receiver]
+    rule {
+      target_label = "org"
+      replacement = "ccchh"
+    }
+    rule {
+      source_labels = ["instance"]
+      target_label = "host"
+      regex  = "([^:]+)"
+      replacement = "${1}.hamburg.ccc.de"
+      action = "replace"
+    }
+  }
+
+  prometheus.scrape "scrape_metrics" {
+    targets           = prometheus.exporter.unix.local_system.targets
+    forward_to        = [prometheus.relabel.default.receiver]
+  }

inventories/chaosknoten/host_vars/netbox.yaml

@@ -1,5 +1,5 @@
 # renovate: datasource=github-releases depName=netbox packageName=netbox-community/netbox
-netbox__version: "v4.5.0"
+netbox__version: "v4.4.6"
 netbox__config: "{{ lookup('ansible.builtin.template', 'resources/chaosknoten/netbox/netbox/configuration.py.j2') }}"
 netbox__custom_pipeline_oidc_group_and_role_mapping: true
 

inventories/chaosknoten/host_vars/ntfy.sops.yaml

@@ -1,3 +1,5 @@
+secret__loki_chaos: ENC[AES256_GCM,data:LWFTOyER+m021ogmXYBrcr/2fUe3XuZhs5ho0KbM,iv:808LWnSUAPeclhsIgOyR6SutTvJGOu7mrGaVayo7v8M=,tag:f2WCPyUESfMiGDQ4Km5Dyw==,type:str]
+secret__metrics_chaos: ENC[AES256_GCM,data:lAepzCI4pwkF8KiGYzGnC4dPASdHDn+LfbJTFSvt,iv:EUW+CGeYUqhY4G1kb2bbU16j9iLwABHfRCdn2vac5gY=,tag:IcyscB9lZuZgC04XTxDb5w==,type:str]
 secret__ntfy_web_push_private_key: ENC[AES256_GCM,data:YqNEYa1Ln3NFpNoIuBUN1V/WRzod5HAtYueBJYHOwyM59cCaYhQR1S9aQg==,iv:t8bEs5ZAEe6pqbbOb0mpJdfgruX1P9Jd+sbNurGqkng=,tag:Cdy5HKkvb55V6AeRt+MVHg==,type:str]
 ntfy:
   user:
@@ -16,8 +18,8 @@ sops:
         bUhGdEFwOEVxUzVZdERReVF6cmcxeDgKDlO+jacsYgWXqjoxAIKJiB8mCHZ8U7TM
         sGD3oaCi9x6Uvse7hq0BaUe/LaJt2tDaqve9nm3n06V93HNcR9/cdw==
         -----END AGE ENCRYPTED FILE-----
-  lastmodified: "2026-01-25T18:41:48Z"
+  lastmodified: "2025-10-20T19:01:39Z"
-  mac: ENC[AES256_GCM,data:2+628ZxPIto0AUhRExTB0UF/XKD7l0qz/NVncKbk+E5nZ5IRGwnhvY5DPiaDNWxskngaYhSYaQZTJTuvC1TuflCr8+IsZRYobj22mYEsrK2KWbozQvYsuooK2HdSWAkE2U5xKKodev2KqxMT+ZY0AIq8ifCo033ro6t0rnIEVQI=,iv:ncKxlhfZ+04rylNmMtOaWyonCJO4gbsuABMAJfVDDIQ=,tag:6c141UrWXNuGM5giTS7Ecw==,type:str]
+  mac: ENC[AES256_GCM,data:a87jRAGBIypZfYCILYCOM+H8KCVUBgb2/1sG05wDbPmLe9IfDT6rzlljbRFOUozq9xsqxpFLsPQx1wPVDi1lhaRT+5oE/NDgVH8aQCofA96DQd3SeB8fWn3LhYjOpmo9ZsFSemvGcXYk/SjVvoU9aN8KG4DHYCOOseGIBTa/a2Y=,iv:5Atem3ACdfdCPUp184cAf/EI9BEXQ1i719l+sIlOnUY=,tag:LWQCxrsZ3660UCcOjY4gMQ==,type:str]
   pgp:
     - created_at: "2025-10-20T19:03:04Z"
       enc: |-

inventories/chaosknoten/host_vars/ntfy.yaml

@@ -15,8 +15,90 @@ nginx__configurations:
   - name: ntfy.hamburg.ccc.de
     content: "{{ lookup('ansible.builtin.file', 'resources/chaosknoten/ntfy/nginx/ntfy.hamburg.ccc.de.conf') }}"
 
-alloy_config_additional: |
+alloy_config: |
+  prometheus.remote_write "default" {
+    endpoint {
+      url = "https://metrics.hamburg.ccc.de/api/v1/write"
+      basic_auth {
+        username = "chaos"
+        password = "{{ secret__metrics_chaos }}"
+      }
+    }
+  }
+  loki.write "default" {
+    endpoint {
+      url = "https://loki.hamburg.ccc.de/loki/api/v1/push"
+      basic_auth {
+        username = "chaos"
+        password = "{{ secret__loki_chaos }}"
+      }
+    }
+  }
+
+  loki.relabel "journal" {
+    forward_to = []
+
+    rule {
+      source_labels = ["__journal__systemd_unit"]
+      target_label  = "systemd_unit"
+    }
+    rule {
+      source_labels = ["__journal__hostname"]
+      target_label = "instance"
+    }
+    rule {
+      source_labels = ["__journal__transport"]
+      target_label = "systemd_transport"
+    }
+    rule {
+      source_labels = ["__journal_syslog_identifier"]
+      target_label = "syslog_identifier"
+    }
+    rule {
+      source_labels = ["__journal_priority_keyword"]
+      target_label  = "level"
+    }
+    rule {
+      source_labels = ["__journal__hostname"]
+      target_label = "host"
+      regex  = "([^:]+)"
+      replacement = "${1}.hamburg.ccc.de"
+      action = "replace"
+    }
+  }
+
+  loki.source.journal "read_journal"  {
+    forward_to    = [loki.write.default.receiver]
+    relabel_rules = loki.relabel.journal.rules
+    format_as_json = true
+    labels        = {component = "loki.source.journal", org = "ccchh"}
+  }
+
+  prometheus.exporter.unix "local_system" {
+    enable_collectors = ["systemd"]
+  }
+
+  prometheus.relabel "default" {
+    forward_to = [prometheus.remote_write.default.receiver]
+    rule {
+      target_label = "org"
+      replacement = "ccchh"
+    }
+    rule {
+      source_labels = ["instance"]
+      target_label = "host"
+      regex  = "([^:]+)"
+      replacement = "${1}.hamburg.ccc.de"
+      action = "replace"
+    }
+  }
+
+  prometheus.scrape "unix_metrics" {
+    targets           = prometheus.exporter.unix.local_system.targets
+    forward_to        = [prometheus.relabel.default.receiver]
+  }
+
   prometheus.scrape "ntfy_metrics" {
     targets     = [{"__address__" = "localhost:9586", job = "ntfy", instance = "ntfy", __scrape_interval__ = "120s"}]
-    forward_to  = [prometheus.relabel.chaosknoten_common.receiver]
+    forward_to  = [prometheus.relabel.default.receiver]
   }

inventories/chaosknoten/host_vars/router.yaml

@@ -1,5 +1,2 @@
 systemd_networkd__config_dir: 'resources/chaosknoten/router/systemd_networkd/'
-systemd_networkd__global_config: "{{ lookup('ansible.builtin.file', 'resources/chaosknoten/router/systemd_networkd_global_config.conf') }}"
 nftables__config: "{{ lookup('ansible.builtin.file', 'resources/chaosknoten/router/nftables/nftables.conf') }}"
-ansible_pull__timer_on_calendar: "*-*-* 04:00:00 Europe/Berlin"
-ansible_pull__timer_randomized_delay_sec: 0min

inventories/chaosknoten/hosts.yaml

@@ -1,9 +1,9 @@
 all:
   hosts:
     ccchoir:
-      ansible_host: ccchoir.hosts.hamburg.ccc.de
+      ansible_host: ccchoir-intern.hamburg.ccc.de
       ansible_user: chaos
-      ansible_ssh_common_args: -J ssh://chaos@router.hamburg.ccc.de
+      ansible_ssh_common_args: -J ssh://chaos@public-reverse-proxy.hamburg.ccc.de
     chaosknoten:
       ansible_host: chaosknoten.hamburg.ccc.de
     cloud:
@@ -15,13 +15,13 @@ all:
       ansible_user: chaos
       ansible_ssh_common_args: -J ssh://chaos@router.hamburg.ccc.de
     grafana:
-      ansible_host: grafana.hosts.hamburg.ccc.de
+      ansible_host: grafana-intern.hamburg.ccc.de
       ansible_user: chaos
-      ansible_ssh_common_args: -J ssh://chaos@router.hamburg.ccc.de
+      ansible_ssh_common_args: -J ssh://chaos@public-reverse-proxy.hamburg.ccc.de
     tickets:
-      ansible_host: tickets.hosts.hamburg.ccc.de
+      ansible_host: tickets-intern.hamburg.ccc.de
       ansible_user: chaos
-      ansible_ssh_common_args: -J ssh://chaos@router.hamburg.ccc.de
+      ansible_ssh_common_args: -J ssh://chaos@public-reverse-proxy.hamburg.ccc.de
     keycloak:
       ansible_host: keycloak.hosts.hamburg.ccc.de
       ansible_user: chaos
@@ -33,9 +33,9 @@ all:
       ansible_host: mumble.hamburg.ccc.de
       ansible_user: chaos
     netbox:
-      ansible_host: netbox.hosts.hamburg.ccc.de
+      ansible_host: netbox-intern.hamburg.ccc.de
       ansible_user: chaos
-      ansible_ssh_common_args: -J ssh://chaos@router.hamburg.ccc.de
+      ansible_ssh_common_args: -J ssh://chaos@public-reverse-proxy.hamburg.ccc.de
     onlyoffice:
       ansible_host: onlyoffice.hosts.hamburg.ccc.de
       ansible_user: chaos
@@ -45,9 +45,9 @@ all:
       ansible_user: chaos
       ansible_ssh_common_args: -J ssh://chaos@router.hamburg.ccc.de
     pretalx:
-      ansible_host: pretalx.hosts.hamburg.ccc.de
+      ansible_host: pretalx-intern.hamburg.ccc.de
       ansible_user: chaos
-      ansible_ssh_common_args: -J ssh://chaos@router.hamburg.ccc.de
+      ansible_ssh_common_args: -J ssh://chaos@public-reverse-proxy.hamburg.ccc.de
     public-reverse-proxy:
       ansible_host: public-reverse-proxy.hamburg.ccc.de
       ansible_user: chaos
@@ -59,21 +59,21 @@ all:
       ansible_user: chaos
       ansible_ssh_common_args: -J ssh://chaos@router.hamburg.ccc.de
     zammad:
-      ansible_host: zammad.hosts.hamburg.ccc.de
+      ansible_host: zammad-intern.hamburg.ccc.de
       ansible_user: chaos
-      ansible_ssh_common_args: -J ssh://chaos@router.hamburg.ccc.de
+      ansible_ssh_common_args: -J ssh://chaos@public-reverse-proxy.hamburg.ccc.de
     ntfy:
-      ansible_host: ntfy.hosts.hamburg.ccc.de
+      ansible_host: ntfy-intern.hamburg.ccc.de
       ansible_user: chaos
-      ansible_ssh_common_args: -J ssh://chaos@router.hamburg.ccc.de
+      ansible_ssh_common_args: -J ssh://chaos@public-reverse-proxy.hamburg.ccc.de
     sunders:
-      ansible_host: sunders.hosts.hamburg.ccc.de
+      ansible_host: sunders-intern.hamburg.ccc.de
       ansible_user: chaos
-      ansible_ssh_common_args: -J ssh://chaos@router.hamburg.ccc.de
+      ansible_ssh_common_args: -J ssh://chaos@public-reverse-proxy.hamburg.ccc.de
     renovate:
-      ansible_host: renovate.hosts.hamburg.ccc.de
+      ansible_host: renovate-intern.hamburg.ccc.de
       ansible_user: chaos
-      ansible_ssh_common_args: -J ssh://chaos@router.hamburg.ccc.de
+      ansible_ssh_common_args: -J ssh://chaos@public-reverse-proxy.hamburg.ccc.de
 hypervisors:
   hosts:
     chaosknoten:
@@ -158,10 +158,11 @@ certbot_hosts:
     zammad:
     ntfy:
     sunders:
-alloy_hosts:
+prometheus_node_exporter_hosts:
   hosts:
     ccchoir:
     eh22-wiki:
+    tickets:
     keycloak:
     netbox:
     onlyoffice:
@@ -169,14 +170,6 @@ alloy_hosts:
     pretalx:
     wiki:
     zammad:
-    grafana:
-    ntfy:
-    tickets:
-    renovate:
-    cloud:
-    public-reverse-proxy:
-    router:
-    sunders:
 infrastructure_authorized_keys_hosts:
   hosts:
     ccchoir:
@@ -206,6 +199,10 @@ netbox_hosts:
 proxmox_vm_template_hosts:
   hosts:
     chaosknoten:
+alloy_hosts:
+  hosts:
+    grafana:
+    ntfy:
 ansible_pull_hosts:
   hosts:
     netbox:

inventories/external/group_vars/all.sops.yaml

@@ -1,210 +0,0 @@
-msmtp__smtp_password: ENC[AES256_GCM,data:0vb2d0BMSiG4DLwNeKk52/kGYM9rQpfRrtYiarbyVW9YOP/WIdpwesUZuad+o6XSODkAGqnU2RQZFs1h,iv:a/LwVf+tQKviYR4mIoSDiEgmsVyCl2v1vWXVFQkn6M4=,tag:bNf+N1bTIk8ppMEabcC6jg==,type:str]
-sops:
-  age:
-    - recipient: age1yl9ts8k6ceymaxjs72r5puetes5mtuzxuger7qgme9qkagfrm9hqzxx9qr
-      enc: |
-        -----BEGIN AGE ENCRYPTED FILE-----
-        YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkL1F2VVhGTGZ3QWlrZi8w
-        c2JVMVlnNGVHdUxJQVRZeDBlSkJjR3V4NHowCmdQVVJRVEZlWWVHZjdSYzRlcnRN
-        clVuRU1rRXdDSUJ6Tk4rajl1R3U3YzAKLS0tIFg0QXBieXdjYmRab2duckNsNWRQ
-        aGdmdDcwY3RPc28waGt0cm1salpNRkkK+X6LF1lCpxIS8P8nEUE7t3VxB817jm4Y
-        mXjKqdaM39MR3CyXWq8bVQ/QRxg1xA6MV7mLrQpJCSpr6uDJD84iJQ==
-        -----END AGE ENCRYPTED FILE-----
-  lastmodified: "2026-01-15T21:28:28Z"
-  mac: ENC[AES256_GCM,data:Z9uyXhnckrVJ0LZM1aT8cSUZCPdQ0ufBC1HYxpzAGb6FS/p3Jni5tFfgijaCT3/T3yDGiV1zQqoSDLwjd48UaMjCtJYCUCAiVo7i4YJ3+aZfS87b4h4VsOFlTLFlBklNYxHd4pcPFl5X9fZGdD10Tvmtm6TlJ33Ma7gmuFs3Og4=,iv:tNeG2I9qNAgzbGwxTbCrrN7KorCneJtFildGvtPVX88=,tag:e0rXgetLFenA3zNBNe631A==,type:str]
-  pgp:
-    - created_at: "2026-01-15T21:28:06Z"
-      enc: |-
-        -----BEGIN PGP MESSAGE-----
-
-        hQIMAxK/JaB2/SdtARAAlJ6HHQZKe3t86f1Y/DsKmO4f+xaMRd9mw9sNlxvmuX3I
-        b8Tvyl1abbJSEf+6SV3SXxlu+05DZEzerMQHdSNHCpO6oSMBH/fEBbtJh3mxYzwY
-        /fS09/CPpq1HYcaOUEB8YHKGDY7okN8ZCHYFF2fWmWsPNLq38nmtCQY3lKPdhKDu
-        Jg8w+9XT/kHJEjQRPjlJG0iRk90cMMBLaR5ToJVzpM3rOSkK/dFALP9PUGhjDVT/
-        e27KW0OQERCxoc401DXFPJg5xrGMJaDpMlDxm+kzNC2/rt/OhhFd1pqMEMGHwZ8B
-        inHjCL8SNy4w3jKs3xvpE38vEUmKgbHavjjd4j8PU/z8PnIAKBCZClTbBARevMYw
-        P1qgwbAXEv0LwN6/Eu4mN6ogbREFk671PTabJ1O9zWFZBPKSOWVjvs6ka/5nRdow
-        RMobY/t6FDOe1i4eQM90QKyTcyBzyFZCl3piBKDvpG9tTEVHriX4bTXNtnGw3h1W
-        XoMUz27G0IZmKZRcYFkqSNPeg3yLXBgsL6by+euw/OwOXuxcR3G/5HpiO4XgWdDn
-        gYvOGvVa4WbG3yASWPJNJZ6ivtLhAgts44ClMIk5mjDgHz0yL2iwx93g6bUzmswV
-        HcpCLSy7wm5XNl4l5p4l90iy6/K32Zp0a7ftobA7U7VyeWfPalE3IYE3s6b+1gTS
-        XAFWL49B69eVA4YJ/iRSZcfqEPMkKzQUplODPUfaHHtLRwR7BhpFX/u3lly/YNQH
-        tCN+vKShpC2PM/Jw8+UxDZXoXNiGCtTIDFq5+VaifkYsEAIVqEFv5noY95/a
-        =Xw0f
-        -----END PGP MESSAGE-----
-      fp: EF643F59E008414882232C78FFA8331EEB7D6B70
-    - created_at: "2026-01-15T21:28:06Z"
-      enc: |-
-        -----BEGIN PGP MESSAGE-----
-
-        hQIMA6EyPtWBEI+2ARAAqcJfa4paWWvQxKnNQT230iT2iRCCskzkzrG9z9rnSbR+
-        U4BO0QVcKZ06+4/WatZC6HuxIPyajAQthNsmMMBr83OFiT8FPHnOOGHc9lemO0/L
-        eshneJhJ7LeYUh3dOeN5lVwCQuw2Hy4MXmKJgdt2Nr5dXmRD8ypKxD/i5Nc4nkXW
-        TY61C/Q9QJF+HZG4toHt+zq+ROjdsTbIhNceRWnt4mIGvqIzhRwk65o5WILbCFQc
-        OL7R+JyyqouN579tO1O6bRT594ufnyQ6oxLRDQqKMdTHYwWijRuA/FyzieuYGbmo
-        b7e6tZeJzlm3H8sSz1WwAD6RoA/O3yyCw1gL9UWFLSfF7iwEKmr+oSN+mEUPJdhR
-        8zZqSQUH3n59IVNdD4UyJB/I5AHmGW6QV3ZF42lwmmstIoY3uDzgf3US+ZvPPsem
-        Scg3PIDSxg+SV9G/53TJM+Og7V2XAA02EWIemiIaJZ7rPiySq1RmQOjnx4ZX+ORk
-        +PDF0gDpA10sTPXQM5NoN8YSilIV1VENjUnESfo+36BlCepmbC88Yr6oexIK2xoq
-        5SnDYNOkVClYcEV6/URo0zr6Eh6+pWaK1MqruyZpRrZFbribK+5t65eIq0fc8oNb
-        ip7VfArpcpYINfL1GuWoFMI0Uj/IMevlN64Ci/Ub9NddCWCQy5WF7u8lAVNMoVbS
-        XAE70ICHJqH9SqHe/dchwYcsLIPwX7r2KoaI23XkK7iROX1NL6LC2nISh/Y5P+X7
-        RX5sBhgiaSwY8L6QseSQzyqTmwxCaq7e/f/+grSUYKmf1FSJe+VxGsJ6Ji0u
-        =k6m5
-        -----END PGP MESSAGE-----
-      fp: F155144FC925A1BEA1F8A2C59A2A4CD59BFDC5EC
-    - created_at: "2026-01-15T21:28:06Z"
-      enc: |-
-        -----BEGIN PGP MESSAGE-----
-
-        hQIMAz5uSgHG2iMJARAAzD/3ycZW/qMLjjSG2T/7378ogylYenCyV5r97m7//MTJ
-        z2jCtWiAPDkiuDDfcqt5LxthPxCr3A/WSTaSsfZQ/zWedQlm/U/RBMEs30DBIUQr
-        AIckqIrJUrgPEo8A0/SnCBNS116BVspI+9n/u7PBPVb70JX3j4Xp3dRGrEYHVpwX
-        EGSk4GirHwutIRE6xP9fnvQxyK64jYTDCfo4t6cIUf2/we0LyK+fU4zrm6wRffzd
-        txiEu4YXvsGbxWeAV3/7/BRo2HJBc/Xqb7mzTnfScltC7hiRD2McmFJs1Hfv0Lg3
-        CGaMOJ5w6Gk8Q+9pgg6R2MQu8DZA7PILm51Bc98ZdiVwg0i8l24ndswUx9+WIWeX
-        AeOxvIVvF0XtQK/JJAkoyoVssIQSFI1OjTDnSHWjFw0Vgev8hRzwqS6HKJUfCrnt
-        KeuGuUOa9QBf3bnbIINyL8QEj9/cnNDCQGoXSZIqPXUs7tIqcLgNryGVnrEn4dDf
-        53Tudml438QRgzV1d87jEKSmUBtqzUDRNQdZqNbzOdaCQaQgkgZlQvWQtbZNMSdQ
-        iQ+v3Hz7pI4yKHhqxXrWrxPwC3KdGTA5qymUS1d1G0BwOWSr+cU6xJBeSqRc6fZn
-        Q8rBKS/gL2Lm3BAVhHBVWGwtbdBhV5ZL/bdT436pJd5ku3cWFTuiMY2SEC1ZvNXS
-        XAFb+jgjB5XzlRZhRosWl1X/qyWO4GXN4aypi14eAQDsbCjGnFZh6utoV3rNmNFX
-        OJ3kRhyHmF+gbp/e0YRq/BnWu+5uzTZQso4fzepgjui+rF/qk/2Oe1nODtM0
-        =seAB
-        -----END PGP MESSAGE-----
-      fp: 18DFCE01456DAB52EA38A6584EDC64F35FA1D6A5
-    - created_at: "2026-01-15T21:28:06Z"
-      enc: |-
-        -----BEGIN PGP MESSAGE-----
-
-        hQIMAw5vwmoEJHQ1AQ/+J9MXLZrMucsbcgdZ/yflnA7Ai2WynSZ9NEzLX24NybGZ
-        ynq9daa+61w5S5thnEV1Be4YEyFXIXfD0bs9KEO2kv41HUySD9FR5QXXSiad5Ij7
-        vPzZMMwjCfNg/JvGQ9p4h2Syc5LYtJ+4BNnl52zjKCJdp1scJqAist3aWbaHoCAh
-        GiJCjv/02NP25WoVShw9pNvvYPEhtPbvO1j3bnvUARXT8IzhblNbfntDwPb+fK4R
-        ksMBIvAN1171l530s0zPzzkJTkxRBohyCixvtgZKoEnYeUAAHk5Clah6GrLGErvA
-        q0XUAEridgDwe4xG+WpzFWwTaGzQPBLR5NPqtph13/02CdaABctbr80WQPoch5vN
-        F1BnObne8ZE+do30v0KYNTkFKhK5ek+w4RS/1rlBEgQMaNyGHsjUtoO1/6JfFXyT
-        968gsga/YR/shZwLaxLQePi5qTcvUzGNgNvFLjy4sRlbWiNCrtZo0JpMmRc1YTXb
-        Tq7KhivgEB3gCYLdzWTCeYw3aZXsTFUFM8MpH0BMABpfpNCdiDrd+RZmgDa2KShH
-        RlpqvN1cXPVY4niGqb0TjQJGbmCrMfSbEXCCYLMP+T+jH+MUs0Br4IVcuXIV9EWM
-        WrYY/r2tCblU9DaVbgzLlIIu/2BtKV0/Iu4KLV2vWBocLPNlKnbhS8NxnIf1eHbS
-        XAFxlY0r1uOCI7d55ZRpih3NnccBWYKmxs/WZavFdooPcRS6QKV6d2ByZtjqlO0T
-        X8xmDpyoxkNahauxi3Vw4o78HyxEqQz2u0HNBJlFC6iFQJnylkOyitIyNCTt
-        =t5WG
-        -----END PGP MESSAGE-----
-      fp: 87AB00D45D37C9E9167B5A5A333448678B60E505
-    - created_at: "2026-01-15T21:28:06Z"
-      enc: |-
-        -----BEGIN PGP MESSAGE-----
-
-        hF4DerEtaFuTeewSAQdArBEh0/AnTDRmDT2r74ejRgmbbZpWjVBmvC7mgFdEq0gw
-        OdEsqFl/ihieW3XkAC0UWxUhacc03Vq3FTY4Fpj7eQTQdfDdn8X10YQcH94XGLxu
-        0lwBvUseBCslA8gjyzFEtFp4TnDEi2JZV3nhfQg8SxrYIQ2Uo6vlsTzvYBvikwaD
-        kLu7fV7lxV09qoROlSpXVm6II6sIk0nmiajb49HM15md3ZElulGZf7A+6d86Wg==
-        =8Qs3
-        -----END PGP MESSAGE-----
-      fp: 057870A2C72CD82566A3EC983695F4FCBCAE4912
-    - created_at: "2026-01-15T21:28:06Z"
-      enc: |-
-        -----BEGIN PGP MESSAGE-----
-
-        hQIMAxjNhCKPP69fAQ/7B2zWxGFqZr98hAyQwNaXp+/T534xRU63dXkYV15EL9q2
-        SlmbEWhl5iVwWoZHl3r7yqy4zXZJkH0XX7g/MlwMTHIu/Sslvb+9ME+QmpI26Awm
-        +0pQN6gZXEhQ4RFtDMSc3PIZYgaJ5AdEk1p/nMwYsQ17Gu6RZeuSL/5b4oXEsIwB
-        nc8kqskd846KDspSoa4HprP3QUyfwChy5+d3/S/SMak/iY97UgYm3iyHXWr+sbAm
-        ykXGQo6Y/QpSiBBc9Z8hyekBQBjiftTpH5T/nzSn5O1p2G56NqK837SZj8CgyanH
-        xOIy1JZYbSfYiEzqXVSj7KGs3aNFFUi9H+Fy+wzDaOWeEYt76koTWZnutOg+JwCP
-        2N5DiDOhoYGygh5aO+dAIoGLQufoTDrlMO9FWnNXXCPIwCUoyH5daiMyn7G9jfwv
-        4rTkXe2mHXXkoNCDHzjNcAEpndpczdUO0CbDNyOuaZzyEYWObJMOdBP0+fmwhaRP
-        AWd0OSbUUkl6RTI7R9l+3wBC0A/be7kOvqvTru0RSZaY4Ba7zokZaNJsoUTvjjL5
-        fjT5MhV/93wEvaHNmGy+IiXipS7ItTmW0xckaFkEbQUbw9p+9UZMxNqF3l5pw8hV
-        J5tTo+rlHda5KBDpTEEz3vUK7MgbgAzzERqqDaUqzWTJy4KeOjYCUfvNyQiT7m3S
-        XAFxCx0poAo6GCoNMhjyQT00iBfpjvUhDrWSHezKW/J/U+Z+TkcICC3Orsxy35uD
-        QtOZIayVIF5scDAIQa31zETB/Jjaq7YeUZvTzUv7Shhq+sJhVUQ7iUEVEXZn
-        =NJUn
-        -----END PGP MESSAGE-----
-      fp: F38C9D4228FC6F674E322D9C3326D914EB9B8F55
-    - created_at: "2026-01-15T21:28:06Z"
-      enc: |-
-        -----BEGIN PGP MESSAGE-----
-
-        hQIMA1Hthzn+T1OoARAAsc5cxMwr0YCwJq1j5EcQ2AF2LvyxH4dvwuCkyrqxuV33
-        rTxOt40kqHcatZgHLfHt1qvfR/lGisUyvvtJ7Gdw/MEzunqwux6cKisRoyTB0dSU
-        b0DBQdNAxujVuBng6v2aoZDXAZNZ9I0epuGnBRcq2+FRAWjRH3YtwuRuChd/VtqB
-        VJJjUJDczermc0kvdrZ6AZ8bSemOIFOYWfZ1iw7qXMiuIXKJqY23KzWSpYC3F9S6
-        z1XKviqJlWcb7VyCA7LDLfjYCAb6/yvj1mB0+fxYJJps6DWsbxvoZWF5mdh5f4oc
-        y74XZehQZTHp4JMs0uSdsuMV3w8zMGUXvFPEJXB1mvPlYAsyjwusf2fqeAJk3JZk
-        pPF/hkwR+LpbVNKk9KbauQLkt+p6E5YWDir1pzeIN6rsl0Carau0TRT9EEn04f/6
-        DL1nF7crXl+7KTgEOt+ih4VuHpXz9lrboUD/WnUpjVu6XwmMH4wrxJggTq+tJzdS
-        55PAZ0qiTGwnxtOn8NGa+01JGcrmtLnfwRUGUO6xxpyy4AtcyyHwEvBSjKRlBvV2
-        Yx6v6l6OlpBdYdlKjEeOLPnQqn+iRolQtUTWWk1Hu/a2sfJjZPMpXNSKbgN9tMOS
-        2zGLe8OOU1M9V9ESdD6He49GRCWNXD00Yv+IUdqFuY7laqxBQCcyIthGA2wfLITS
-        XAGKF54TE7VkuCQ2vw0HZG4TgQtmw7W/hBMcbSatGwFwyPSs2+9wsJFmJUniArCZ
-        e7RUz4C1MIFP97ZSFtfLd8tsIO0zTyK9fRAOUwh8wdAZhvS9Fv5/Mwmctj9h
-        =gUj7
-        -----END PGP MESSAGE-----
-      fp: 5DA93D5C9D7320E1BD3522C79C78172B3551C9FD
-    - created_at: "2026-01-15T21:28:06Z"
-      enc: |-
-        -----BEGIN PGP MESSAGE-----
-
-        hQIMA46L6MuPqfJqAQ/8CKPe91CQYybuRlIb4bRl3sZ2nXYw0OS2p8NYo3sawcsw
-        YFwgwT4GHMAMviZ3U/Dm1VVtUEH0dSZ/tYoPFE0pCOLWYrVjqLY69uM23ZHV1IX4
-        W7A+jzNTv3ODj/lc/azjgBcBVZpSxgAQG2wiyX1Dq4Lx5cpOCYQm4KYp9hD6ddly
-        m6zk8vH3MBRvPAlacg3C6PSy1PV7sTgBZMBIE3DY/HIjv4nzV3/itIPZcf27dYTl
-        AEjiI6eGH6sUWTFRF5mCP4sRycaU2g8iZ471nZdHe7PpldginWJEN9SD06oewZJB
-        QjvXpVNjVu+RQ/hOl5LwIllAAkk0ghK2bRsh7gVB5b5Kjv+mKKNe8yjKxKcpZuVW
-        fUEaRpyILTCwe6aFnmUa6vUtpgU2QRKzv2ycqO1FGil1yZJ/RPVCc0RQoLSpZRsT
-        XvrZzw/OVfLespNRPcC/PTvNwhIhBYyIDvEAgQOnEnRCGoijnPAOE4Z5zA6Rtxfw
-        Kxw+E5s+xV1ff+qo5Dm0J/LyC90FR3vstzSkM5n2HEy5OkbACi9CiLRaIiYxlDfv
-        v5H3Gc0hdVRELkK1T9ND3I2RAyJVdDq0WvxjWRIfdRULLsk86pFoFjus0acx3ukt
-        zotRh1wI1o319j517B06v+Jn49bLx81ipeHfsiz69P0sDSRKyOcN/i4TA/Tj0OfS
-        XAFfmEOJHnhD1WOlbJO2EiGY3QD9PIV/lipja4lQKv7ROWlIPVtdvgBnaaNYAvUb
-        YLIA3oTcZB43vm5QW3hXsTz2cn/w/JvnuojtD0kKzT643dR5BC3D2XsWpHWV
-        =pL2f
-        -----END PGP MESSAGE-----
-      fp: 8996B62CBD159DCADD3B6DC08BB33A8ABCF7BC4A
-    - created_at: "2026-01-15T21:28:06Z"
-      enc: |-
-        -----BEGIN PGP MESSAGE-----
-
-        hF4DQrf1tCqiJxoSAQdAxf+RXofQmgst0qgbY34RgfqVKCCYHHH3mbCdGKbfXiQw
-        0307FFijrW2i+wHW/Ugob489EH46zUENkmEjxPcOao+p5TWqOhryWOmj+5K5iKin
-        0lwBDuM+y3AsogL5PAerDRGMIqmUO9AAuRlKJb67O+n31fA0CSlRdYIlR/0IiXk8
-        KmagDpdTyNWD0M8PRohazoKEiB6OrEuLfRiDwyMhyuRtIXRnckwZ8anC2B2cLg==
-        =slU2
-        -----END PGP MESSAGE-----
-      fp: B71138A6A8964A3C3B8899857B4F70C356765BAB
-    - created_at: "2026-01-15T21:28:06Z"
-      enc: |-
-        -----BEGIN PGP MESSAGE-----
-
-        hF4DzAGzViGx4qcSAQdAYTkme6X4+jr7/5qNidpUZjiwQzR9nhJMHU9ALot5mQkw
-        bVYbs+lqddtYRVKLh4jhqFb9WGjC05JMnb8o/OVqgvOV516WqCzg9qmn2JMn5CvL
-        0lYBtBwzrQfqM7RbckekoQcabirca/67RzCAqB9O7Lud85+aQxBR/GB9qE/7FLfp
-        JVT42+KjcKSQBYWS+lyjgfXs7H4WhNYsai8OFn+JzqswG+MpWPQ+Fw==
-        =1DIj
-        -----END PGP MESSAGE-----
-      fp: D2E9C0807BF681F5E164DAFC5EE1B61CD90954CD
-    - created_at: "2026-01-15T21:28:06Z"
-      enc: |-
-        -----BEGIN PGP MESSAGE-----
-
-        hQIMA2pVdGTIrZI+ARAAvoshi1af/mG21B9x8XOtYn2CmsjZCLWYWuhdM+oMe204
-        CJglTK8C8CzuJcXu84IKrdV8nx5Yk0VvtgtSXiKSouDKWeQDHHqhKEsPlc6+FL99
-        e95uzp8ozvODxch4xaBP3FZkbgGgFHDZSF47NIC9AkyyGe4GARq+OvtADUMjpb4R
-        6WXCzqaH976KRMcgH4PXlWIUiYvFJz+6k+chbLfcf+uJxWL02mvPV+ArSbGc1Ns1
-        M2kRYdEPZ4c6FCU6DYaneJp22ywPNgJm3dL8WU7Nn5uv7iYGDyceh3dnGtF0p0jN
-        Mo5TT8MzobIGgD2RtsP4NrufV56+Y4G5oqk9jPMofC8QUeVR1j2GHDfHrls2N/2L
-        vt0VX1wsv7ToAY9bUUNDLutLnwQlpHNP/sacudw0VpYDl55ULa1dLC97qG/4va8G
-        k3wdzqwNwgzIOPDIiQ3P8xkn4RZ9b4SwPNFb9BRqufFaA+neZcNelfpTqsT3WNfm
-        MYdzDQtQdTNi9u0ADsuZ2JIX2uUVsB1ol5Wgw9D5+yksTeC3n89TTmbmt4PYkCZ/
-        3MH3gLGGlPLfc9w/q9JqfQ8idiPgWc6CMO83gGXUWbe0SkDCBY4evyP41s9ojSdF
-        XrkZQycNoardD+co14Se4d5g0oxYfhNUCIYEo2JwLkuE11iMXG1bjt8JB+F514vS
-        XAHzAelcyBaqqwZqKw1OKWz1Vr+hy9S+uOs+8Qg5G/H0nxa7BG+PhUB+O5i8x4Dn
-        96Eq2r2OsVJ3z8YeLcH2FbnVECX+/nj8a4z8yqfpajmoKswOfhp2b2G49aYz
-        =IYeC
-        -----END PGP MESSAGE-----
-      fp: 878FEA3CB6A6F6E7CD80ECBE28506E3585F9F533
-  unencrypted_suffix: _unencrypted
-  version: 3.11.0

inventories/external/group_vars/all.yaml

@@ -1,16 +0,0 @@
-# ansible_pull
-# ansible_pull__age_private_key needs to be defined per host (probably HOST.sops.yaml).
-ansible_pull__repo_url: https://git.hamburg.ccc.de/CCCHH/ansible-infra.git
-ansible_pull__inventory: inventories/external
-ansible_pull__playbook: playbooks/maintenance.yaml
-ansible_pull__timer_on_calendar: "*-*-* 04:30:00 Europe/Berlin"
-ansible_pull__failure_notification_address: noc-notifications@lists.hamburg.ccc.de
-ansible_pull__timer_randomized_delay_sec: 30min
-
-# msmtp
-# msmtp__smtp_password is defined in the all.sops.yaml.
-msmtp__smtp_host: cow.hamburg.ccc.de
-msmtp__smtp_port: 465
-msmtp__smtp_tls_method: smtps
-msmtp__smtp_user: any@external-hosts.hamburg.ccc.de
-msmtp__smtp_from: "{{ inventory_hostname }}@external-hosts.hamburg.ccc.de"

inventories/external/host_vars/status.sops.yaml

@@ -1,212 +0,0 @@
-ansible_pull__age_private_key: ENC[AES256_GCM,data:u0tluAG5YmXTs71/F6RjuTITCrEoJco0K7+o/F7An4OMdOAwJVBvvMCnEaYsKhLhdesnMIoA24oz2j22lKRFgZUNtkF08ZwH9gw=,iv:oqTTeOi8l6ig4vvqOKict5bqxjmiBW+kwlZhbozoCSU=,tag:ZL2wuIczCHguGJIhbY0NuQ==,type:str]
-secret__gatus_db_password: ENC[AES256_GCM,data:fwtdWmXVTA7odBsKnlxH7mKKGtplAt/rQqscFBAxbDky6DNqgk6PP2OsqbIEpnpzs9Yn7Kd2VAxzfJfK,iv:ox/Lm+LlxxRcssOPc++nRp6nVa2DF3/46eEsGzTOBmA=,tag:i1e71Gm01ojHr5pGy0S9rA==,type:str]
-secret__gatus_matrix_access_token: ENC[AES256_GCM,data:adNtFvg2LXwRiNE7mvTZNO1hXxN3qasWZrDEQOGk5mYEVH0t9pglNrM=,iv:30xXR31qmrywLP3M34u6YgsyQY348zVvt9RM4/bGhtY=,tag:vhgpON0IdQ+FS4uQ/0TpsQ==,type:str]
-sops:
-  age:
-    - recipient: age1yl9ts8k6ceymaxjs72r5puetes5mtuzxuger7qgme9qkagfrm9hqzxx9qr
-      enc: |
-        -----BEGIN AGE ENCRYPTED FILE-----
-        YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2Y0Vib1U3ZGpyZTlBNWMx
-        UEtCbnArRzAvZ0o1dmdJL0hSZERTR241RlNrCjZ6QzlJSEFhWk0wazlwRVlDeUlq
-        M0syWDZlc0o2d2NDYmVyUmJpWUdwdzAKLS0tIGR5NUVwMkprRnkxZnI0TmlGUGVk
-        RFl1MnI1K0h2MUhvYk40d2JjbDRaUmMKNlPo1s06hVdxAamKhJy4HhNDX8PKQlq2
-        13PjdTJub64fydGEJng5NigcnNcPo7goGLz5QV7vE+6bO0gNZxBmmw==
-        -----END AGE ENCRYPTED FILE-----
-  lastmodified: "2026-01-18T18:40:32Z"
-  mac: ENC[AES256_GCM,data:7bP0fmn6TJKA8zLuXE8F47sHn1qqX33z/078KkCJx5yRSKBGyLnTeKNha8EODEBkMG0eXQ2BEQDPfNB892R5OW69xCInCa0+sEPONd3YELMvFVoM7/+avDi94X/tdJKCHVPnF/kpqnGhKlwikKlCFLIcbkfEAHJgDlze32C0QKU=,iv:1Q5dsJP2FToAYDJYWXJufHuIlXGfj93NaBWHfZ5rhHk=,tag:dFNYdMJOwUwr6/zwlRollg==,type:str]
-  pgp:
-    - created_at: "2026-01-15T21:23:56Z"
-      enc: |-
-        -----BEGIN PGP MESSAGE-----
-
-        hQIMAxK/JaB2/SdtAQ/+ORxsmaobaTVCnVlaaTlvG3GRPlL0G1NG18eF3Mra2FU/
-        HSY4/QTu4BjGRzwOlKJt3NBMGlFZucwklIecAl1cCDXPSvIRnwuIsAI8gxNnjmVW
-        w7URAscgfVobWxpLqFhlnQ+8ozMPXW7D0ZDLe4wKPa5wNuE/kdzM5ZCl3NB4q3fi
-        o0C8uSnsTAp8clay/xnTtnJxOsyzyJ29JVsinxAyg64m6AYNa53yNZoy5kL6VIIr
-        dnNx4DtOsxFuNhKuvENePoGjuB68i0NWitsfei3G+GLUp+CbPisrzElM6vsXQ0wT
-        QAu2OpTnrQSv/YWi8Dv+1YXIKu6nOuMc+avQGLsiuZ6hagrvfRTmoQirbx6THDB+
-        97N/ZZUoGVdCtb5BRoBxzl7prwYGXsW+fP7B/PlBBBM5pI/s5jasFMOBfrrlJiDE
-        dyBcE2rjcehmZ0DN0YddZoo1UMYzsn6HEMH+kFp/VD3+y4A47Kk9Ou0d9+Q7ufsf
-        j8ThNihOBrwz8DlvOb5/5HacBFOH5T9b42j6yOmyrlAXnC8sQwFDMDERs7XcVSXT
-        B9SlX6OVZ6/xgG1UjkY5aqYiWkIBUO/9k1OP3OMoZM7WPitIJS0a92u8EASX4zT9
-        cJjyym8oDojsM4+/GWMCHcEA5QVSEFsz5JBONiEJkv9UCYXOWj375SH6WjTHQyPS
-        XgFA0rCYobVrmH4oQ3EzmbqTGwBuejwcDVA++KiUePb6jhK9DGrETHEOzUyOonpI
-        tNfgyohULH3eDRjC/4gR9JDr+UCC2t31Rx5kNmonz4H3KQlgm/5UulKZZfFk6VQ=
-        =HCWY
-        -----END PGP MESSAGE-----
-      fp: EF643F59E008414882232C78FFA8331EEB7D6B70
-    - created_at: "2026-01-15T21:23:56Z"
-      enc: |-
-        -----BEGIN PGP MESSAGE-----
-
-        hQIMA6EyPtWBEI+2AQ/+Is5OSeCOwUDFocaFiGIpKKicsRkF5WJXcV0eTquCvn3M
-        UeDpYww0CatCOmx0u5/ELzyvr2NhLGwoblLxwwb2HA+dTWRzRiTGZrpGJ3DUwEK6
-        KvqFgrOIDttnSCqrGiPsNBkGP3oIH/WIYXF4SJl5stlnujTOW+wNP8f+9gZspyY4
-        JdDXIGL7cbvzEzionilKbroKgDTNCm/o/ATWnlvsd5qv8lsIVkZlaJqldRR+xXuu
-        RLHz9Mav9NgzzFERA0YY0Z56jpGikoywB7iBCbozXvPO5oY9YcuvdLoXELi3Rimf
-        LoqIyGv/dHepZvIIy/d+E7ltlQHLXdH0LMNyBRartVChR/p0G/YAzXDAgnARJm+J
-        SB7vUPBqFwFpkiIE0bRRDVDYW8VlNZta4V+hxb3iXuVHljuYUrIDh77VW3xNQyi5
-        YfKxO9c9PRhq7sfeBj3iB2qAGoODOU1whdaWXJeNIvYmkQJw81eu2rzHT6NHsbrD
-        CcUGvbVAO7cx8xZxLiT2jZlbeRrTM68Uq8zC0ujzHavrLUWvCcAcFdk8Un8UJbaF
-        W4B5La8ZAQUg0HwDavrOEXFbbdkuMT0BIMIxysxrcetqMdRcMjQlbjHz7RuROp4q
-        melLD0F7L8cXAafDRXXkTTpDmaLN8s9v2j953/RzY7lS1FPQMTduWbn4Pg75HrbS
-        XgEWsmhgtxSNSgtg/c+VyS9VAykAaP0J4mVWUJZtpw3T8wtkAVeb2zFjmOWay98e
-        GC9m9N32zdg6MZDLnAABIEhDCGhuB0QjHJaXHcQxbuy8T0mgG081s8spTZnU/74=
-        =v7Jf
-        -----END PGP MESSAGE-----
-      fp: F155144FC925A1BEA1F8A2C59A2A4CD59BFDC5EC
-    - created_at: "2026-01-15T21:23:56Z"
-      enc: |-
-        -----BEGIN PGP MESSAGE-----
-
-        hQIMAz5uSgHG2iMJAQ//f4YuazCNqBuU6RxLg7gbh2RQ7KQ9QDIPSh+YIBr2k9RJ
-        zSjTIR2cPu4JX7Bf9w378oyExhxe6bU00DKvfmQv+CPwjR/4NfzB+/UjmrOEmZqv
-        y/Gc/2ciT2csHiuAgmck/tKCdVLyXmlMpR+ru3LBVpXLc0wRqDLze9RKM22L5o5Y
-        Tkf5LCoj77ixhVWZJ/MUm1GlCKmtAJ5tZpSOUenSApSZ0mbRUMI6SEmLhf7ApmNo
-        FInztB8eMcgyV7vhEmhAiLTkB29kGh8Oe/TtDSmywhn/pTcs4tlY7fRfcxkJaYgw
-        sZFaF3b7/xhF04kJNEugKemTZTCOoXuPvjvDKQ0glojQQ36P5S01uyH1FOHAbItz
-        8xilRiU5lHuu7BsZcb8rU8qNYnpEzY3DX/Ccpl0AoPWjY925XB7C8H8z1kk8UxR1
-        +b3XXMktUugeTZeiFG2pJsp9dhiRqyuzvW73yJSdHjqZW+Tq4U2D9Je1WeZT4+Au
-        qTQh1uC2dRgQ0PMafX50aTxIK7lPxva+cOPgYeALXP58TCUqeNUyYQmvAGba7yyU
-        yec3Hz/SNLqEhSnOqCx+TXZOhV4PM8fTzpnNhqZQ2RX2uUXwXjuyAZ8fv3v5se8F
-        HvQGW8EvJaDSvLD5GjKblQqwNlFWf0HOPUf5UZSXV3MHsHLzYHKlOE4cJ778ih7S
-        XgGY+6q602ciOETbXexRAK4G0AaAY06iQqIvjqzTRmRgkftMI/8HAV2mfjfRuTXF
-        9DClJje/SpRp/fS6jXFyRCc1MysABsxcyopIhHPxf2iy4UiipC1c15Z9VVK4cL4=
-        =l9vN
-        -----END PGP MESSAGE-----
-      fp: 18DFCE01456DAB52EA38A6584EDC64F35FA1D6A5
-    - created_at: "2026-01-15T21:23:56Z"
-      enc: |-
-        -----BEGIN PGP MESSAGE-----
-
-        hQIMAw5vwmoEJHQ1ARAAr6u7xDPFlylAf002AQkjASgSyCdLMD0LxXmTEihOxBnp
-        +ZcJN9cpuyCuDaIfSqGdDLUqZ6TuAfVaixtXbxT6Odl2q1DN/GaVkZbDVwGk/W3w
-        +lSjBz4miAcU9kaSFeeJ9BDEdqROduj8/fFc8jLyxpa51nnp6ON7wI3Uup3uNZN1
-        oEwcav8u9hrbE5glS6IMFpGQAhJmvzWH9mHWCQT7A3GGK3DsYBWPH685vVk80VBw
-        8IO35N2SMVD+ebvFbSnitBSOmSNUzHgv8DaBgJkcHb5EM8bCiZNI3VkbGdi8AmRx
-        wvuAclYkemq/bNu5I0sjpt/uxEOVqsymdPs+gOVgKceEy458ZfyRUPxV0Xp5Yi26
-        MzAas8LCL+m561L8MTt01CfXJKllIh1aeNJEWYKyTtIxnWfhHnhAfiwiRaX+sAdK
-        ApLFSCtwAf2fvpqaUY0PvAwKUNKyEBrncu9cBuqK6EDx5YVQul6Mo2nx6W64G7mj
-        IUGQOoRATZP4y9bJJJMNU5BfK9j7Fdhh/VirB1XSSWSlkUduv8PVx99iLejfnknB
-        b0LVS0RW0W+XgbM0yvjRhDATalrcuBX4R7voQPeGFlw//fdg0qepSe9OeAPA+RNm
-        YTjWVWqXOmGJQ46sms4P1Fhd5NKgyv7qAaZDVf2lDZOensbhwWFKw1R65PSbi4DS
-        XgEDIaRdmRPMHOGoHzcSieR+sxDvklEAWyfUMn8D8u8dkgs1u8WL3gGixDaPMvcF
-        JgS3PA6hl0JOi3+UgBWGh6gx+C/mr+6jly+IhWd78HAsbsJcGIrs4Zlu54T8jV4=
-        =8IWz
-        -----END PGP MESSAGE-----
-      fp: 87AB00D45D37C9E9167B5A5A333448678B60E505
-    - created_at: "2026-01-15T21:23:56Z"
-      enc: |-
-        -----BEGIN PGP MESSAGE-----
-
-        hF4DerEtaFuTeewSAQdA7STwRBnvhKhEh9mdHz/GWujTMli/vbMrXv8WnZ1boUkw
-        9Qtj+soJcdr8XxDREm//Q7wgGZJSJe6dBdxW5NC10H7bYDFc9aNkbT0/ceMj0tBM
-        0l4BNU1LT9rZrkhGUTqA3Gs+bzP4xazBGuiucCkM1mbSvRAjWO2abLb17GKUWODr
-        1uDStVFrPOTqN/0/O1lAfk/Xv5LQO2X/xVMDD42i9txP9G8+rCF42gKdODWF+DsQ
-        =FVIu
-        -----END PGP MESSAGE-----
-      fp: 057870A2C72CD82566A3EC983695F4FCBCAE4912
-    - created_at: "2026-01-15T21:23:56Z"
-      enc: |-
-        -----BEGIN PGP MESSAGE-----
-
-        hQIMAxjNhCKPP69fARAAkUEvumeteWHZ31xbvLAWezQr75Q45DVzBAX6MJIPnCcz
-        ofMYuDjz/ujOES7UtAYrRekCW4R+PZQ2pcC3tbNHxKQjdxsA6cY68mBQLj+TJ0+F
-        15jlkAkL7utwOxOh8P1/yxO+hr3qZl6rmncQwiynRnyiAJa6FHK8dvAHVKhLWcRN
-        pxx2O5m8I/+sF2/XgVs0iq0KWG+WbwJWUlvWKJ+2LNvXDoPYD0sdo8G1hkuQGOLW
-        Lmc1xN4hbTzvgjTBoUt1HUEOgohau8TMWnT7x1jpMLBNqm0hQfcyNmBuK4vA3NYR
-        PjtMUvEuucjOrFvF1g+OaTQ3ZSkd431yqTHRbktZDXdCvhYhSfxJ2TKdqX5U+3p+
-        27hPOX5cVISd36T8Oxm7LTt2GSZp5JZJ2gzRuSn8HDEHHBa39+jmdsqmGMFjAJfU
-        amK3TNpLx9U/AGw9CYVyQxfnrRPArjuPXE+nVmuZVJhgOcex+5SAA6YRpzPLj5/I
-        bHv0zOQ+84ghaIPvA7OlehgE2DYQjFC7qMGV0Q/jEomzHmwaFLlbDiSX97SQM4+P
-        dwe2gbz5EfgVdXeSwyPH03W5Uq/D8GiNFASxe6ctfwY6G9cUJaY7gj+br2/WSjzc
-        bSQxbyA36q6tSR8sty4lOkRqfhvCsopnACe3UaPDD9aUPu5dkrPFD2DwGZqALjrS
-        XgGQM27HAK2eAWtmQk7wWZcK8EyeO4bPl/JX8hMU8xSnbHrFpY26RNY1C4mjqcnD
-        QoyU68TbPmGX522sseuygCNmEEM/5rhx6wwePH1X+C8WRHMmXyLjKD3eVkFJ3tA=
-        =EPrs
-        -----END PGP MESSAGE-----
-      fp: F38C9D4228FC6F674E322D9C3326D914EB9B8F55
-    - created_at: "2026-01-15T21:23:56Z"
-      enc: |-
-        -----BEGIN PGP MESSAGE-----
-
-        hQIMA1Hthzn+T1OoAQ//arOC3Dpt+X+GzGZFPngYFGl8SHgx9vrbNcNdRQBEBhX0
-        RmkT3rBbXRNbJvZHW6YPzoMRzhDMHEs9osbr7RwpTQxpL4owFd1hx8bhDjZYQplC
-        Gfj1xNjL1iFsQV1kWx7dagpkDEoPVlPaDyTDyHkj/fmgg/aU4y5GVUHc6l7iClN9
-        fn5HL8/sCROAPteReXnwxIWmn/03lldh7VMYwKaVIpiTf3QZzEsHAOYT0EdEcapC
-        3d5ZhTDmOvOwy2PMfx5w5RpKXKe2cbhoS1N3KEHaZIochlvnvQHpVJ3jhn8YG8j9
-        bJ5tklEauoi1YHsnj5vzm8sgQMj/p5DJHALfVKxzAMCCe0AqcVpVGTW9SR1ZMUXW
-        p0UZOmeNBfqhcOIbKXW+Hj2oSZ25KGxiXZwydF51xnUT8rsau7nPYOgg+9YARAVl
-        USZd85OX/dZcDqhfK1YZjdV3GPiTHGFUrTz53sW/nHrcCCKXL17uADLr1Z/rk3Dm
-        dayNuUVhlqgV6Z0ts0Z9blz2X/Bz2c95TUTze+pUoXCP6oKcxGbrEfHBzJrhqeFa
-        PYGRyna1t96c3Az94bz2orX69Ij3QPyd2p2B0nlv+qYNk55J/aVPIfioZSamnDk9
-        NAQJksb2M7KIq1rjheWsf/CLZYHC1rcrhUnz5SYIXVDe8f3+uNc0JFGYPYZuF7DS
-        XgEa4Lw21RwQs3Es0wAZSnkku+yg1Lg2YJ6/d5xSZJs0c5mCYvvW3q9oTc8u+D3n
-        H1/Lu8HvZtHtGARagLqHw2MORNvoJXoCT0EhcPBK4PlJKSNye96U1ooNfwxbUMo=
-        =0Nal
-        -----END PGP MESSAGE-----
-      fp: 5DA93D5C9D7320E1BD3522C79C78172B3551C9FD
-    - created_at: "2026-01-15T21:23:56Z"
-      enc: |-
-        -----BEGIN PGP MESSAGE-----
-
-        hQIMA46L6MuPqfJqARAAlYT9Xqnfvd7uWr/V8Ca5oKJ003yWKGwAMd06zyPmIYOK
-        ErTHC98r7LXuGaMcIUrJ+oLf6YipYB7PyHwfz+zpxhDRTPAxXTqkF1ecLi7qg2AV
-        Ez3Q1hpPJv1DWASrVfJgpnlQnQtnpqXQsInL7klGc10mtbgc2zHUndWFqjxtkAhl
-        IinLZHZVFaijFw10W+e6T0UUZ9WfIPdCOChcqVp5/86DDyl3S9dBLmAd7wywzbuH
-        i0y1uelIxLyYmzLxYTNgJwEHKzQvF6jrj40AjT8HtUD473ILD5M4p2vdvNCUANu9
-        1iF4q7YM5g6cgjGC29Y31wOAM4YzdkwNXJsUhn4ACzYNBAItXK7Aw0I8WK9AnUfq
-        lwmSirx5hi870GIfu/OYeNt4I3fWjm4qY1aFwoJJRWrUdH94I4P1O6xXZyTVqpmG
-        m0Ich3O16Ir1vS9oFLdFSFGP7UZgU7D5314OKXNsEGpFLGa9U7AG1ZPHGSb6tAQi
-        9Df7TsWxYVWKBU2PbI/D9StVlWDVilt2QiKtIcRwLs3/3JrzTPJd9tvUtw6Tyjw7
-        N12/SE3yHwWxVPUXF2AsopmOoHGh67Ki+6oc7xTmxtcJWSITUhBL16ZjMEEXFeHy
-        FMODciBLrXO1jWz65mkB32ttV+oPQuCdtFPTzuKneDhVBybuMJrx7DEIFaf5CmvS
-        XgFrqRe9fua4zRd9r9tJE4RSosQOAhmVgRVCJIg5B+qUGC0l2AwO4ro1+a02t6o7
-        uBGGRHeQYrGv6HVUd/xfirUj/mtrguiSSpOy3UZ5SHIlPxuj/2jf3WxVkU0QP5k=
-        =e4Qe
-        -----END PGP MESSAGE-----
-      fp: 8996B62CBD159DCADD3B6DC08BB33A8ABCF7BC4A
-    - created_at: "2026-01-15T21:23:56Z"
-      enc: |-
-        -----BEGIN PGP MESSAGE-----
-
-        hF4DQrf1tCqiJxoSAQdAqRvfYgKUyKqP1jy9+s3UQ+vqUWQVxC/zXkcXOs/G3kQw
-        27MDd3dcADzCI4qrHxc0umrFegUizTg9UmseMgSJnr7oWXtuh6ocjuEe+irXw0Di
-        0l4B7cvZtRObjrOUf0lupPAp2xPIIKekUcVSxiecn6z7zVUVUwpYvPmS8MBCFc5h
-        7ad0LWml36Rj5UkBE/ph0YgLvz7ZDoC1yiagBGVX59MTjjZsZBVpRecxZ+ztuaci
-        =68na
-        -----END PGP MESSAGE-----
-      fp: B71138A6A8964A3C3B8899857B4F70C356765BAB
-    - created_at: "2026-01-15T21:23:56Z"
-      enc: |-
-        -----BEGIN PGP MESSAGE-----
-
-        hF4DzAGzViGx4qcSAQdA95lt4L0inJjhMwQ2v5lvhW74zuvdpgktHsp5BSycbxcw
-        oUR2v3CcCHtNzWzgeWPm8L6JHRUJQWdg+XHsLujlZXsoqKirGI67NvToOk+yttsK
-        0lgBW9AG8bUVUdXNNPfhc/FN8OJbQ2cj3E2z5kI05ZrkcOoZVXaRfXJiZPQDg1Kz
-        LhuKymMDmXXsSVd/VdLbSXpfeEqMJjTsDS+bU/TZAcRRPKxj9PPDJIWQ
-        =Kpzf
-        -----END PGP MESSAGE-----
-      fp: D2E9C0807BF681F5E164DAFC5EE1B61CD90954CD
-    - created_at: "2026-01-15T21:23:56Z"
-      enc: |-
-        -----BEGIN PGP MESSAGE-----
-
-        hQIMA2pVdGTIrZI+ARAA2IaYLn8z593Kh+wAw2ecOXkW+B3qhi/x0qQLVw7Jc1hO
-        rVhrcTQoabL3elIIPZtxyTYIXq6EpPkSBMOBHO+tmqI8YsB5GvWtcGV1OBpRaZ3I
-        hgKjnxkJtaQizSZqZLgGUVXjMjcdkzTlIQfu7oGeTu8Ke1cwtOE1lvleDpHHK6gc
-        yRLJWsUfHdv3rCOmRCDtguc3NG7qzUUYcknPiFGx66hfnIaA0aJav2pqS3uuRwSD
-        Ay78U2PB7kYVg//Omz9BEuiUVhYsA0sl3hFVpJuKv7FQ9OcJOevQddfq90m2KGyo
-        2Lpligwtj3evPfPReLR1D16HaGuzknoB9883jD027+fGr4/IFWx7ieVZ9iGeD3jR
-        yw/GdHCMueq1pdtyw8ArREspGmZldEKY3Qw6sfRdd71DAeTkD1zzWORCEk6OQefY
-        YX5ByUAOTUHvTey4Uy5WCj3HOUMW71CnVpsU6lDSuqBUnFlMvELtcjlmEAwvscXz
-        WFpTzphaX1fIqruS4BAzMxpKVTI1V3bnrb6wFRFnsErVjrty24R2auaoHvgslROu
-        1QUTInC7JpFUpxiK9ke8xbhYlZ5JEhcxOXlfrZcVwlxziEZEqp429L/4gVz+IGVv
-        YQ4wU8ARBcXiEDEOmEl3tCxiprDlCeLpdSrqhq57/y7IMs6Fo7QrkA5XZG+mnfPS
-        XgHFg3iMBk0qKb6AiWiN8g3SHJtcehJgmAZsRxFRP329QKGGa+azQqT7Vp066keY
-        rOsmP8iwl+4KS71+cN9rLx/3U8EcSxRuMU6KtIKvhp7yfr2bhYo8P9JH2vrPTlk=
-        =lbdI
-        -----END PGP MESSAGE-----
-      fp: 878FEA3CB6A6F6E7CD80ECBE28506E3585F9F533
-  unencrypted_suffix: _unencrypted
-  version: 3.11.0

inventories/external/host_vars/status.yaml

@@ -1,27 +0,0 @@
-docker_compose__compose_file_content: "{{ lookup('ansible.builtin.template', 'resources/external/status/docker_compose/compose.yaml.j2') }}"
-docker_compose__configuration_files:
-  - name: "general.yaml"
-    content: "{{ lookup('ansible.builtin.file', 'resources/external/status/docker_compose/config/general.yaml') }}"
-  - name: "sites.yaml"
-    content: "{{ lookup('ansible.builtin.file', 'resources/external/status/docker_compose/config/sites.yaml') }}"
-  - name: "services-chaosknoten.yaml"
-    content: "{{ lookup('ansible.builtin.file', 'resources/external/status/docker_compose/config/services-chaosknoten.yaml') }}"
-  - name: "websites.yaml"
-    content: "{{ lookup('ansible.builtin.file', 'resources/external/status/docker_compose/config/websites.yaml') }}"
-  - name: "easterhegg-websites.yaml"
-    content: "{{ lookup('ansible.builtin.file', 'resources/external/status/docker_compose/config/easterhegg-websites.yaml') }}"
-
-nginx__version_spec: ""
-nginx__deploy_redirect_conf: false
-nginx__configurations:
-  - name: status.hamburg.ccc.de
-    content: "{{ lookup('ansible.builtin.file', 'resources/external/status/nginx/status.hamburg.ccc.de.conf') }}"
-  - name: http_handler
-    content: "{{ lookup('ansible.builtin.file', 'resources/external/status/nginx/http_handler.conf') }}"
-
-certbot__version_spec: ""
-certbot__acme_account_email_address: le-admin@hamburg.ccc.de
-certbot__certificate_domains:
-  - "status.hamburg.ccc.de"
-certbot__new_cert_commands:
-  - "systemctl reload nginx.service"

inventories/external/hosts.yaml

@@ -1,24 +0,0 @@
-all:
-  hosts:
-    status:
-      # TODO: Manually set up ufw on the host. Create a role for ufw.
-      ansible_host: status.hamburg.ccc.de
-      ansible_user: chaos
-base_config_hosts:
-  hosts:
-    status:
-docker_compose_hosts:
-  hosts:
-    status:
-nginx_hosts:
-  hosts:
-    status:
-certbot_hosts:
-  hosts:
-    status:
-infrastructure_authorized_keys_hosts:
-  hosts:
-    status:
-ansible_pull_hosts:
-  hosts:
-    status:

inventories/z9/host_vars/dooris.yaml

@@ -7,11 +7,9 @@ certbot__certificate_domains:
   - "dooris.ccchh.net"
 certbot__new_cert_commands:
   - "systemctl reload nginx.service"
+certbot__http_01_port: 80
 
 nginx__version_spec: ""
-nginx__deploy_redirect_conf: false
 nginx__configurations:
   - name: dooris.ccchh.net
     content: "{{ lookup('ansible.builtin.file', 'resources/z9/dooris/nginx/dooris.ccchh.net.conf') }}"
-  - name: http_handler
-    content: "{{ lookup('ansible.builtin.file', 'resources/z9/dooris/nginx/http_handler.conf') }}"

playbooks/deploy.yaml

@@ -64,6 +64,11 @@
   roles:
     - nginx
 
+- name: Ensure prometheus_node_exporter deployment on prometheus_node_exporter_hosts
+  hosts: prometheus_node_exporter_hosts
+  roles:
+    - prometheus_node_exporter
+
 - name: Configure unattended upgrades for all non-hypervisors
   hosts: all:!hypervisors
   become: true
@@ -78,8 +83,10 @@
 - name: Ensure Alloy is installed and Setup on alloy_hosts
   hosts: alloy_hosts
   become: true
-  roles:
+  tasks:
-    - alloy
+    - name: Setup Alloy
+      ansible.builtin.include_role:
+        name: grafana.grafana.alloy
 
 - name: Ensure ansible_pull deployment on ansible_pull_hosts
   hosts: ansible_pull_hosts

renovate.json

@@ -32,11 +32,6 @@
       "matchDatasources": ["docker"],
       "matchPackageNames": ["docker.io/pretix/standalone"],
       "versioning": "regex:^(?<major>\\d+\\.\\d+)(?:\\.(?<minor>\\d+))$"
-    },
-    {
-      "matchDatasources": ["docker"],
-      "matchPackageNames": ["docker.io/pretalx/standalone"],
-      "versioning": "regex:^v(?<major>\\d+\\.\\d+)(?:\\.(?<minor>\\d+))$"
     }
   ],
   "customManagers": [

resources/chaosknoten/ccchoir/nginx/ccchoir.de.conf

@@ -2,12 +2,12 @@
 # https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6
 server {
     # Listen on a custom port for the proxy protocol.
-    listen [::]:8443 ssl http2 proxy_protocol;
+    listen 8443 ssl http2 proxy_protocol;
     # Make use of the ngx_http_realip_module to set the $remote_addr and
     # $remote_port to the client address and client port, when using proxy
     # protocol.
     # First set our proxy protocol proxy as trusted.
-    set_real_ip_from 2a00:14b0:4200:3000:125::1;
+    set_real_ip_from 172.31.17.140;
     # Then tell the realip_module to get the addreses from the proxy protocol
     # header.
     real_ip_header proxy_protocol;
@@ -43,12 +43,12 @@ server {
 
 server {
     # Listen on a custom port for the proxy protocol.
-    listen [::]:8443 ssl http2 proxy_protocol;
+    listen 8443 ssl http2 proxy_protocol;
     # Make use of the ngx_http_realip_module to set the $remote_addr and
     # $remote_port to the client address and client port, when using proxy
     # protocol.
     # First set our proxy protocol proxy as trusted.
-    set_real_ip_from 2a00:14b0:4200:3000:125::1;
+    set_real_ip_from 172.31.17.140;
     # Then tell the realip_module to get the addreses from the proxy protocol
     # header.
     real_ip_header proxy_protocol;

resources/chaosknoten/eh22-wiki/nginx/eh22.easterhegg.eu.conf

@@ -2,6 +2,7 @@
 # https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6
 server {
     # Listen on a custom port for the proxy protocol.
+    listen 8443 ssl http2 proxy_protocol;
     listen [::]:8443 ssl http2 proxy_protocol;
     # Make use of the ngx_http_realip_module to set the $remote_addr and
     # $remote_port to the client address and client port, when using proxy

resources/chaosknoten/grafana/docker_compose/compose.yaml.j2

@@ -2,7 +2,7 @@
 services:
 
   prometheus:
-    image: docker.io/prom/prometheus:v3.9.1
+    image: docker.io/prom/prometheus:v3.7.3
     container_name: prometheus
     command:
       - '--config.file=/etc/prometheus/prometheus.yml'
@@ -19,7 +19,7 @@ services:
       - prom_data:/prometheus
 
   alertmanager:
-    image: docker.io/prom/alertmanager:v0.30.0
+    image: docker.io/prom/alertmanager:v0.29.0
     container_name: alertmanager
     command:
       - '--config.file=/etc/alertmanager/alertmanager.yaml'
@@ -32,7 +32,7 @@ services:
       - alertmanager_data:/alertmanager
 
   grafana:
-    image: docker.io/grafana/grafana:12.3.1
+    image: docker.io/grafana/grafana:12.3.0
     container_name: grafana
     ports:
       - 3000:3000
@@ -46,7 +46,7 @@ services:
       - graf_data:/var/lib/grafana
 
   pve-exporter:
-    image: docker.io/prompve/prometheus-pve-exporter:3.8.0
+    image: docker.io/prompve/prometheus-pve-exporter:3.5.5
     container_name: pve-exporter
     ports:
       - 9221:9221
@@ -59,7 +59,7 @@ services:
       - /dev/null:/etc/prometheus/pve.yml
 
   loki:
-    image: docker.io/grafana/loki:3.6.3
+    image: docker.io/grafana/loki:3.6.0
     container_name: loki
     ports:
       - 13100:3100

resources/chaosknoten/grafana/docker_compose/prometheus.yml

@@ -82,6 +82,41 @@ scrape_configs:
         target_label: instance
       - target_label: __address__
         replacement: pve-exporter:9221
+  - job_name: hosts
+    static_configs:
+      # Wieske Chaosknoten VMs
+      - labels:
+          org: ccchh
+          site: wieske
+          type: virtual_machine
+          hypervisor: chaosknoten
+        targets:
+          - netbox-intern.hamburg.ccc.de:9100
+          - matrix-intern.hamburg.ccc.de:9100
+          - public-web-static-intern.hamburg.ccc.de:9100
+          - git-intern.hamburg.ccc.de:9100
+          - forgejo-actions-runner-intern.hamburg.ccc.de:9100
+          - eh22-wiki-intern.hamburg.ccc.de:9100
+          - mjolnir-intern.hamburg.ccc.de:9100
+          - woodpecker-intern.hamburg.ccc.de:9100
+          - penpot-intern.hamburg.ccc.de:9100
+          - jitsi.hamburg.ccc.de:9100
+          - onlyoffice-intern.hamburg.ccc.de:9100
+          - ccchoir-intern.hamburg.ccc.de:9100
+          - tickets-intern.hamburg.ccc.de:9100
+          - keycloak-intern.hamburg.ccc.de:9100
+          - onlyoffice-intern.hamburg.ccc.de:9100
+          - pad-intern.hamburg.ccc.de:9100
+          - wiki-intern.hamburg.ccc.de:9100
+          - zammad-intern.hamburg.ccc.de:9100
+          - pretalx-intern.hamburg.ccc.de:9100
+      - labels:
+          org: ccchh
+          site: wieske
+          type: physical_machine
+        targets:
+          - chaosknoten.hamburg.ccc.de:9100
+
 
 storage:
   tsdb:

resources/chaosknoten/grafana/nginx/grafana.hamburg.ccc.de.conf

@@ -2,13 +2,13 @@
 # https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6
 server {
     # Listen on a custom port for the proxy protocol.
-    listen [::]:8443 ssl proxy_protocol;
+    listen 8443 ssl proxy_protocol;
     http2 on;
     # Make use of the ngx_http_realip_module to set the $remote_addr and
     # $remote_port to the client address and client port, when using proxy
     # protocol.
     # First set our proxy protocol proxy as trusted.
-    set_real_ip_from 2a00:14b0:4200:3000:125::1;
+    set_real_ip_from 172.31.17.140;
     # Then tell the realip_module to get the addreses from the proxy protocol
     # header.
     real_ip_header proxy_protocol;

resources/chaosknoten/grafana/nginx/loki.hamburg.ccc.de.conf

@@ -17,6 +17,7 @@ server {
     server_name loki.hamburg.ccc.de;
 
     listen [::]:50051 ssl;
+    listen 172.31.17.145:50051 ssl;
 
     http2 on;
 
@@ -58,6 +59,7 @@ server {
     server_name loki.hamburg.ccc.de;
 
     listen [::]:443 ssl;
+    listen 172.31.17.145:443 ssl;
 
     http2 on;
 

resources/chaosknoten/grafana/nginx/metrics.hamburg.ccc.de.conf

@@ -9,6 +9,7 @@ server {
     allow 2a00:14b0:4200:3380::/64;
     allow 2a00:14b0:f000:23::/64; #CCCHH v6 bei Wieske, geroutet über turing
     # Z9
+    allow 2a07:c480:0:100::/56;
     allow 2a07:c481:1::/48;
     # fuxnoc
     allow 2a07:c481:0:1::/64;
@@ -17,6 +18,7 @@ server {
     server_name metrics.hamburg.ccc.de;
 
     listen [::]:443 ssl;
+    listen 172.31.17.145:443 ssl;
     http2 on;
 
     client_body_buffer_size 512k;

resources/chaosknoten/keycloak/nginx/id.hamburg.ccc.de.conf

@@ -3,6 +3,7 @@
 # Also see: https://www.keycloak.org/server/reverseproxy
 server {
     # Listen on a custom port for the proxy protocol.
+    listen 8443 ssl http2 proxy_protocol;
     listen [::]:8443 ssl http2 proxy_protocol;
     # Make use of the ngx_http_realip_module to set the $remote_addr and
     # $remote_port to the client address and client port, when using proxy

resources/chaosknoten/keycloak/nginx/invite.hamburg.ccc.de.conf

@@ -3,6 +3,7 @@
 # Also see: https://www.keycloak.org/server/reverseproxy
 server {
     # Listen on a custom port for the proxy protocol.
+    listen 8443 ssl http2 proxy_protocol;
     listen [::]:8443 ssl http2 proxy_protocol;
     # Make use of the ngx_http_realip_module to set the $remote_addr and
     # $remote_port to the client address and client port, when using proxy

resources/chaosknoten/keycloak/nginx/keycloak-admin.hamburg.ccc.de.conf

@@ -7,6 +7,7 @@ server {
     ##listen [::]:443 ssl http2;
 
     # Listen on a custom port for the proxy protocol.
+    listen 8443 ssl http2 proxy_protocol;
     listen [::]:8443 ssl http2 proxy_protocol;
     # Make use of the ngx_http_realip_module to set the $remote_addr and
     # $remote_port to the client address and client port, when using proxy

resources/chaosknoten/netbox/nginx/netbox.hamburg.ccc.de.conf

@@ -2,12 +2,12 @@
 # https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6
 server {
     # Listen on a custom port for the proxy protocol.
-    listen [::]:8443 ssl http2 proxy_protocol;
+    listen 8443 ssl http2 proxy_protocol;
     # Make use of the ngx_http_realip_module to set the $remote_addr and
     # $remote_port to the client address and client port, when using proxy
     # protocol.
     # First set our proxy protocol proxy as trusted.
-    set_real_ip_from 2a00:14b0:4200:3000:125::1;
+    set_real_ip_from 172.31.17.140;
     # Then tell the realip_module to get the addreses from the proxy protocol
     # header.
     real_ip_header proxy_protocol;

resources/chaosknoten/ntfy/nginx/ntfy.hamburg.ccc.de.conf

@@ -2,13 +2,13 @@
 # https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6
 server {
     # Listen on a custom port for the proxy protocol.
-    listen [::]:8443 ssl proxy_protocol;
+    listen 8443 ssl proxy_protocol;
     http2 on;
     # Make use of the ngx_http_realip_module to set the $remote_addr and
     # $remote_port to the client address and client port, when using proxy
     # protocol.
     # First set our proxy protocol proxy as trusted.
-    set_real_ip_from 2a00:14b0:4200:3000:125::1;
+    set_real_ip_from 172.31.17.140;
     # Then tell the realip_module to get the addreses from the proxy protocol
     # header.
     real_ip_header proxy_protocol;

resources/chaosknoten/onlyoffice/docker_compose/compose.yaml.j2

@@ -4,7 +4,7 @@
 
 services:
   onlyoffice:
-    image: docker.io/onlyoffice/documentserver:9.2.1
+    image: docker.io/onlyoffice/documentserver:9.1.0
     restart: unless-stopped
     volumes:
       - "./onlyoffice/DocumentServer/logs:/var/log/onlyoffice"

resources/chaosknoten/onlyoffice/nginx/onlyoffice.hamburg.ccc.de.conf

@@ -2,6 +2,7 @@
 # https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6
 server {
     # Listen on a custom port for the proxy protocol.
+    listen 8443 ssl http2 proxy_protocol;
     listen [::]:8443 ssl http2 proxy_protocol;
     # Make use of the ngx_http_realip_module to set the $remote_addr and
     # $remote_port to the client address and client port, when using proxy

resources/chaosknoten/pad/docker_compose/compose.yaml.j2

@@ -13,7 +13,7 @@ services:
     restart: unless-stopped
 
   app:
-    image: quay.io/hedgedoc/hedgedoc:1.10.5
+    image: quay.io/hedgedoc/hedgedoc:1.10.3
     environment:
       - "CMD_DB_URL=postgres://hedgedoc:{{ secret__hedgedoc_db_password }}@database:5432/hedgedoc"
       - "CMD_DOMAIN=pad.hamburg.ccc.de"

resources/chaosknoten/pad/nginx/pad.hamburg.ccc.de.conf

@@ -2,6 +2,7 @@
 # https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6
 server {
     # Listen on a custom port for the proxy protocol.
+    listen 8443 ssl http2 proxy_protocol;
     listen [::]:8443 ssl http2 proxy_protocol;
     # Make use of the ngx_http_realip_module to set the $remote_addr and
     # $remote_port to the client address and client port, when using proxy

resources/chaosknoten/pretalx/docker_compose/compose.yaml.j2

@@ -23,7 +23,7 @@ services:
       - pretalx_net
 
   static:
-    image: docker.io/library/nginx:1.29.4
+    image: docker.io/library/nginx:1.29.3
     restart: unless-stopped
     volumes:
       - public:/usr/share/nginx/html

resources/chaosknoten/pretalx/nginx/cfp.eh22.easterhegg.eu.conf

@@ -2,12 +2,12 @@
 # https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6
 server {
     # Listen on a custom port for the proxy protocol.
-    listen [::]:8443 ssl http2 proxy_protocol;
+    listen 8443 ssl http2 proxy_protocol;
     # Make use of the ngx_http_realip_module to set the $remote_addr and
     # $remote_port to the client address and client port, when using proxy
     # protocol.
     # First set our proxy protocol proxy as trusted.
-    set_real_ip_from 2a00:14b0:4200:3000:125::1;
+    set_real_ip_from 172.31.17.140;
     # Then tell the realip_module to get the addreses from the proxy protocol
     # header.
     real_ip_header proxy_protocol;

resources/chaosknoten/pretalx/nginx/pretalx.hamburg.ccc.de.conf

@@ -2,12 +2,12 @@
 # https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6
 server {
     # Listen on a custom port for the proxy protocol.
-    listen [::]:8443 ssl http2 proxy_protocol;
+    listen 8443 ssl http2 proxy_protocol;
     # Make use of the ngx_http_realip_module to set the $remote_addr and
     # $remote_port to the client address and client port, when using proxy
     # protocol.
     # First set our proxy protocol proxy as trusted.
-    set_real_ip_from 2a00:14b0:4200:3000:125::1;
+    set_real_ip_from 172.31.17.140;
     # Then tell the realip_module to get the addreses from the proxy protocol
     # header.
     real_ip_header proxy_protocol;

resources/chaosknoten/public-reverse-proxy/nginx/acme_challenge.conf

@@ -4,12 +4,12 @@ map $host $upstream_acme_challenge_host {
     c3cat.de 172.31.17.151:31820;
     www.c3cat.de 172.31.17.151:31820;
     staging.c3cat.de 172.31.17.151:31820;
-    ccchoir.de ccchoir.hosts.hamburg.ccc.de:31820;
+    ccchoir.de ccchoir-intern.hamburg.ccc.de:31820;
-    www.ccchoir.de ccchoir.hosts.hamburg.ccc.de:31820;
+    www.ccchoir.de ccchoir-intern.hamburg.ccc.de:31820;
     cloud.hamburg.ccc.de cloud.hosts.hamburg.ccc.de:31820;
     element.hamburg.ccc.de 172.31.17.151:31820;
     git.hamburg.ccc.de 172.31.17.154:31820;
-    grafana.hamburg.ccc.de grafana.hosts.hamburg.ccc.de:31820;
+    grafana.hamburg.ccc.de 172.31.17.145:31820;
     hackertours.hamburg.ccc.de 172.31.17.151:31820;
     staging.hackertours.hamburg.ccc.de 172.31.17.151:31820;
     hamburg.ccc.de 172.31.17.151:31820;
@@ -19,18 +19,18 @@ map $host $upstream_acme_challenge_host {
     matrix.hamburg.ccc.de 172.31.17.150:31820;
     mas.hamburg.ccc.de 172.31.17.150:31820;
     element-admin.hamburg.ccc.de 172.31.17.151:31820;
-    netbox.hamburg.ccc.de netbox.hosts.hamburg.ccc.de:31820;
+    netbox.hamburg.ccc.de 172.31.17.167:31820;
     onlyoffice.hamburg.ccc.de onlyoffice.hosts.hamburg.ccc.de:31820;
     pad.hamburg.ccc.de pad.hosts.hamburg.ccc.de:31820;
-    pretalx.hamburg.ccc.de pretalx.hosts.hamburg.ccc.de:31820;
+    pretalx.hamburg.ccc.de 172.31.17.157:31820;
     spaceapi.hamburg.ccc.de 172.31.17.151:31820;
     staging.hamburg.ccc.de 172.31.17.151:31820;
     wiki.ccchh.net wiki.hosts.hamburg.ccc.de:31820;
     wiki.hamburg.ccc.de wiki.hosts.hamburg.ccc.de:31820;
     www.hamburg.ccc.de 172.31.17.151:31820;
-    tickets.hamburg.ccc.de tickets.hosts.hamburg.ccc.de:31820;
+    tickets.hamburg.ccc.de 172.31.17.148:31820;
-    sunders.hamburg.ccc.de sunders.hosts.hamburg.ccc.de:31820;
+    sunders.hamburg.ccc.de 172.31.17.170:31820;
-    zammad.hamburg.ccc.de zammad.hosts.hamburg.ccc.de:31820;
+    zammad.hamburg.ccc.de 172.31.17.152:31820;
     eh03.easterhegg.eu 172.31.17.151:31820;
     eh05.easterhegg.eu 172.31.17.151:31820;
     eh07.easterhegg.eu 172.31.17.151:31820;
@@ -73,7 +73,7 @@ map $host $upstream_acme_challenge_host {
     design.hamburg.ccc.de 172.31.17.162:31820;
     hydra.hamburg.ccc.de 172.31.17.163:31820;
     cfp.eh22.easterhegg.eu 172.31.17.157:31820;
-    ntfy.hamburg.ccc.de ntfy.hosts.hamburg.ccc.de:31820;
+    ntfy.hamburg.ccc.de 172.31.17.149:31820;
     cryptoparty-hamburg.de 172.31.17.151:31820;
     cryptoparty.hamburg.ccc.de 172.31.17.151:31820;
     staging.cryptoparty-hamburg.de 172.31.17.151:31820;

resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf

@@ -18,21 +18,21 @@ stream {
     resolver 212.12.50.158 192.76.134.90;
 
     map $ssl_preread_server_name $address {
-        ccchoir.de ccchoir.hosts.hamburg.ccc.de:8443;
+        ccchoir.de ccchoir-intern.hamburg.ccc.de:8443;
-        www.ccchoir.de ccchoir.hosts.hamburg.ccc.de:8443;
+        www.ccchoir.de ccchoir-intern.hamburg.ccc.de:8443;
         cloud.hamburg.ccc.de cloud.hosts.hamburg.ccc.de:8443;
         pad.hamburg.ccc.de pad.hosts.hamburg.ccc.de:8443;
-        pretalx.hamburg.ccc.de pretalx.hosts.hamburg.ccc.de:8443;
+        pretalx.hamburg.ccc.de pretalx-intern.hamburg.ccc.de:8443;
         id.hamburg.ccc.de keycloak.hosts.hamburg.ccc.de:8443;
         invite.hamburg.ccc.de keycloak.hosts.hamburg.ccc.de:8443;
         keycloak-admin.hamburg.ccc.de keycloak.hosts.hamburg.ccc.de:8443;
-        grafana.hamburg.ccc.de grafana.hosts.hamburg.ccc.de:8443;
+        grafana.hamburg.ccc.de 172.31.17.145:8443;
         wiki.ccchh.net wiki.hosts.hamburg.ccc.de:8443;
         wiki.hamburg.ccc.de wiki.hosts.hamburg.ccc.de:8443;
         onlyoffice.hamburg.ccc.de onlyoffice.hosts.hamburg.ccc.de:8443;
         hackertours.hamburg.ccc.de 172.31.17.151:8443;
         staging.hackertours.hamburg.ccc.de 172.31.17.151:8443;
-        netbox.hamburg.ccc.de netbox.hosts.hamburg.ccc.de:8443;
+        netbox.hamburg.ccc.de 172.31.17.167:8443;
         matrix.hamburg.ccc.de 172.31.17.150:8443;
         mas.hamburg.ccc.de 172.31.17.150:8443;
         element-admin.hamburg.ccc.de 172.31.17.151:8443;
@@ -42,9 +42,9 @@ stream {
         hamburg.ccc.de 172.31.17.151:8443;
         staging.hamburg.ccc.de 172.31.17.151:8443;
         spaceapi.hamburg.ccc.de 172.31.17.151:8443;
-        tickets.hamburg.ccc.de tickets.hosts.hamburg.ccc.de:8443;
+        tickets.hamburg.ccc.de 172.31.17.148:8443;
-        sunders.hamburg.ccc.de sunders.hosts.hamburg.ccc.de:8443;
+        sunders.hamburg.ccc.de 172.31.17.170:8443;
-        zammad.hamburg.ccc.de zammad.hosts.hamburg.ccc.de:8443;
+        zammad.hamburg.ccc.de 172.31.17.152:8443;
         c3cat.de 172.31.17.151:8443;
         www.c3cat.de 172.31.17.151:8443;
         staging.c3cat.de 172.31.17.151:8443;
@@ -90,8 +90,8 @@ stream {
         woodpecker.hamburg.ccc.de 172.31.17.160:8443;
         design.hamburg.ccc.de 172.31.17.162:8443;
         hydra.hamburg.ccc.de 172.31.17.163:8443;
-        cfp.eh22.easterhegg.eu pretalx.hosts.hamburg.ccc.de:8443;
+        cfp.eh22.easterhegg.eu pretalx-intern.hamburg.ccc.de:8443;
-        ntfy.hamburg.ccc.de ntfy.hosts.hamburg.ccc.de:8443;
+        ntfy.hamburg.ccc.de 172.31.17.149:8443;
         cryptoparty-hamburg.de 172.31.17.151:8443;
         cryptoparty.hamburg.ccc.de 172.31.17.151:8443;
         staging.cryptoparty-hamburg.de 172.31.17.151:8443;

resources/chaosknoten/router/nftables/nftables.conf

@@ -39,29 +39,13 @@ table inet host {
         ct state established,related accept
 
 		ip protocol icmp accept
-        # ICMPv6
+		ip6 nexthdr icmpv6 accept
-        # https://datatracker.ietf.org/doc/html/rfc4890#autoid-24
-        # Allowlist consisting of: "Traffic That Must Not Be Dropped" and "Traffic That Normally Should Not Be Dropped"
-        # Error messages that are essential to the establishment and maintenance of communications:
-        icmpv6 type { destination-unreachable, packet-too-big } accept
-        icmpv6 type { time-exceeded } accept
-        icmpv6 type { parameter-problem } accept
-        # Connectivity checking messages:
-        icmpv6 type { echo-request, echo-reply } accept
-        # Address Configuration and Router Selection messages:
-        icmpv6 type { nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, ind-neighbor-solicit, ind-neighbor-advert } accept
-        # Link-Local Multicast Receiver Notification messages:
-        icmpv6 type { mld-listener-query, mld-listener-report, mld-listener-done, mld2-listener-report } accept
-        # SEND Certificate Path Notification messages:
-        icmpv6 type { 148, 149 } accept
-        # Multicast Router Discovery messages:
-        icmpv6 type { 151, 152, 153 } accept
 
         # Allow SSH access.
         tcp dport 22 accept comment "allow ssh access"
 
         # Allow DHCP server access.
-		iifname { $if_net0_2_v4_nat, $if_net0_3_ci_runner } udp dport 67 accept comment "allow dhcp server access"
+		iifname $if_net0_3_ci_runner udp dport 67 accept comment "allow dhcp server access"
     }
 }
 

resources/chaosknoten/router/systemd_networkd/20-net1.network

@@ -3,6 +3,7 @@ Name=net1
 
 [Network]
 DNS=212.12.50.158
+IPForward=ipv4
 IPv6AcceptRA=no
 
 [Address]
@@ -10,3 +11,4 @@ Address=212.12.48.123/24
 
 [Route]
 Gateway=212.12.48.55
+

resources/chaosknoten/router/systemd_networkd/20-net2.network

@@ -3,6 +3,7 @@ Name=net2
 
 [Network]
 #DNS=212.12.50.158
+IPForward=ipv6
 IPv6AcceptRA=no
 
 [Address]
@@ -10,3 +11,4 @@ Address=2a00:14b0:4200:3500::130:2/112
 
 [Route]
 Gateway=2a00:14b0:4200:3500::130:1
+

resources/chaosknoten/router/systemd_networkd/21-net0.2-v4_nat.network

@@ -11,12 +11,6 @@ Description=v4-NAT
 # Masquerading done in nftables (nftables.conf).
 IPv6SendRA=yes
 
-DHCPServer=true
-
-[DHCPServer]
-PoolOffset=100
-PoolSize=150
-
 [Address]
 Address=10.32.2.1/24
 

resources/chaosknoten/router/systemd_networkd_global_config.conf

@@ -1,3 +0,0 @@
-[Network]
-IPv4Forwarding=true
-IPv6Forwarding=true

resources/chaosknoten/sunders/docker_compose/compose.yaml.j2

@@ -3,7 +3,7 @@
 
 services:
   db:
-    image: mariadb:12.1.2
+    image: mariadb:12.0.2
     command: --max_allowed_packet=3250585600
     environment:
       MYSQL_ROOT_PASSWORD: "{{ secret__sunders_db_root_password }}"

resources/chaosknoten/sunders/nginx/sunders.hamburg.ccc.de.conf

@@ -2,12 +2,12 @@
 # https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6
 server {
     # Listen on a custom port for the proxy protocol.
-    listen [::]:8443 ssl http2 proxy_protocol;
+    listen 8443 ssl http2 proxy_protocol;
     # Make use of the ngx_http_realip_module to set the $remote_addr and
     # $remote_port to the client address and client port, when using proxy
     # protocol.
     # First set our proxy protocol proxy as trusted.
-    set_real_ip_from 2a00:14b0:4200:3000:125::1;
+    set_real_ip_from 172.31.17.140;
     # Then tell the realip_module to get the addreses from the proxy protocol
     # header.
     real_ip_header proxy_protocol;

resources/chaosknoten/tickets/nginx/tickets.hamburg.ccc.de.conf

@@ -2,12 +2,12 @@
 # https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6
 server {
     # Listen on a custom port for the proxy protocol.
-    listen [::]:8443 ssl http2 proxy_protocol;
+    listen 8443 ssl http2 proxy_protocol;
     # Make use of the ngx_http_realip_module to set the $remote_addr and
     # $remote_port to the client address and client port, when using proxy
     # protocol.
     # First set our proxy protocol proxy as trusted.
-    set_real_ip_from 2a00:14b0:4200:3000:125::1;
+    set_real_ip_from 172.31.17.140;
     # Then tell the realip_module to get the addreses from the proxy protocol
     # header.
     real_ip_header proxy_protocol;

resources/chaosknoten/wiki/nginx/wiki.ccchh.net.conf

@@ -2,6 +2,7 @@
 # https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6
 server {
     # Listen on a custom port for the proxy protocol.
+    listen 8443 ssl http2 proxy_protocol;
     listen [::]:8443 ssl http2 proxy_protocol;
     # Make use of the ngx_http_realip_module to set the $remote_addr and
     # $remote_port to the client address and client port, when using proxy

resources/chaosknoten/wiki/nginx/wiki.hamburg.ccc.de.conf

@@ -2,6 +2,7 @@
 # https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6
 server {
     # Listen on a custom port for the proxy protocol.
+    listen 8443 ssl http2 proxy_protocol;
     listen [::]:8443 ssl http2 proxy_protocol;
     # Make use of the ngx_http_realip_module to set the $remote_addr and
     # $remote_port to the client address and client port, when using proxy

resources/chaosknoten/zammad/nginx/zammad.hamburg.ccc.de.conf

@@ -2,12 +2,12 @@
 # https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6
 server {
     # Listen on a custom port for the proxy protocol.
-    listen [::]:8443 ssl http2 proxy_protocol;
+    listen 8443 ssl http2 proxy_protocol;
     # Make use of the ngx_http_realip_module to set the $remote_addr and
     # $remote_port to the client address and client port, when using proxy
     # protocol.
     # First set our proxy protocol proxy as trusted.
-    set_real_ip_from 2a00:14b0:4200:3000:125::1;
+    set_real_ip_from 172.31.17.140;
     # Then tell the realip_module to get the addreses from the proxy protocol
     # header.
     real_ip_header proxy_protocol;

resources/external/status/docker_compose/compose.yaml.j2

@@ -1,36 +0,0 @@
-# https://gatus.io/
-# https://github.com/TwiN/gatus
-# https://github.com/TwiN/gatus/blob/master/.examples/docker-compose-postgres-storage/compose.yaml
-
-services:
-  database:
-    image: docker.io/library/postgres:18.1
-    volumes:
-      - ./database:/var/lib/postgresql
-    environment:
-      - "POSTGRES_DB=gatus"
-      - "POSTGRES_USER=gatus"
-      - "POSTGRES_PASSWORD={{ secret__gatus_db_password }}"
-    networks:
-      - gatus
-
-  gatus:
-    image: ghcr.io/twin/gatus:v5.34.0
-    restart: always
-    ports:
-      - "8080:8080"
-    environment:
-      - "GATUS_CONFIG_PATH=/config"
-      - "POSTGRES_DB=gatus"
-      - "POSTGRES_USER=gatus"
-      - "POSTGRES_PASSWORD={{ secret__gatus_db_password }}"
-      - "MATRIX_ACCESS_TOKEN={{ secret__gatus_matrix_access_token }}"
-    volumes:
-      - ./configs:/config
-    networks:
-      - gatus
-    depends_on:
-      - database
-
-networks:
-  gatus:

resources/external/status/docker_compose/config/easterhegg-websites.yaml

@@ -1,303 +0,0 @@
-# Easterhegg Websites and Websites (Redirects)
-# (hosted on public-web-static)
-# One could probably also generate this list from the public-web-static config.
-easterhegg-websites-defaults: &easterhegg_websites_defaults
-  group: Websites
-  interval: 5m
-  alerts:
-    - type: matrix
-      failure-threshold: 3
-      success-threshold: 1
-      minimum-reminder-interval: "12h"
-      send-on-resolved: true
-
-easterhegg-websites-redirects-defaults: &easterhegg_websites_redirects_defaults
-  group: Websites (Redirects)
-  interval: 15m
-  alerts:
-    - type: matrix
-      failure-threshold: 3
-      success-threshold: 1
-      minimum-reminder-interval: "24h"
-      send-on-resolved: true
-
-endpoints:
-  # Websites
-  - name: eh03.easterhegg.eu
-    url: "https://eh03.easterhegg.eu"
-    <<: *easterhegg_websites_defaults
-    conditions:
-      - "[STATUS] == 200"
-      - "[CERTIFICATE_EXPIRATION] > 48h"
-      - "[BODY] == pat(*Easter(h)egg 2003*)"
-
-  - name: eh05.easterhegg.eu
-    url: "https://eh05.easterhegg.eu"
-    <<: *easterhegg_websites_defaults
-    conditions:
-      - "[STATUS] == 200"
-      - "[CERTIFICATE_EXPIRATION] > 48h"
-      - "[BODY] == pat(*Easterhegg 2005 - The workshop weekend*)"
-
-  - name: eh07.easterhegg.eu
-    url: "https://eh07.easterhegg.eu"
-    <<: *easterhegg_websites_defaults
-    conditions:
-      - "[STATUS] == 200"
-      - "[CERTIFICATE_EXPIRATION] > 48h"
-      - "[BODY] == pat(*Easterhegg 2007 - The Workshop weekend*)"
-
-  - name: eh09.easterhegg.eu
-    url: "https://eh09.easterhegg.eu"
-    <<: *easterhegg_websites_defaults
-    conditions:
-      - "[status] == 200"
-      - "[certificate_expiration] > 48h"
-      - "[BODY] == pat(*Easterhegg 2009*)"
-
-  - name: eh11.easterhegg.eu
-    url: "https://eh11.easterhegg.eu"
-    <<: *easterhegg_websites_defaults
-    conditions:
-      - "[status] == 200"
-      - "[certificate_expiration] > 48h"
-      - "[BODY] == pat(*Easterhegg 2011*)"
-
-  - name: eh20.easterhegg.eu
-    url: "https://eh20.easterhegg.eu"
-    <<: *easterhegg_websites_defaults
-    conditions:
-      - "[status] == 200"
-      - "[certificate_expiration] > 48h"
-      - "[BODY] == pat(*EH20 - Back to root*)"
-
-  # Websites (Redirects)
-  # eh03.easterhegg.eu
-  - name: eh2003.hamburg.ccc.de
-    url: "https://eh2003.hamburg.ccc.de"
-    <<: *easterhegg_websites_redirects_defaults
-    conditions:
-      - "[STATUS] == 200"
-      - "[CERTIFICATE_EXPIRATION] > 48h"
-      - "[BODY] == pat(*Easter(h)egg 2003*)"
-
-  - name: www.eh2003.hamburg.ccc.de
-    url: "https://www.eh2003.hamburg.ccc.de"
-    <<: *easterhegg_websites_redirects_defaults
-    conditions:
-      - "[STATUS] == 200"
-      - "[CERTIFICATE_EXPIRATION] > 48h"
-      - "[BODY] == pat(*Easter(h)egg 2003*)"
-
-  - name: easterhegg2003.hamburg.ccc.de
-    url: "https://easterhegg2003.hamburg.ccc.de"
-    <<: *easterhegg_websites_redirects_defaults
-    conditions:
-      - "[STATUS] == 200"
-      - "[CERTIFICATE_EXPIRATION] > 48h"
-      - "[BODY] == pat(*Easter(h)egg 2003*)"
-
-  - name: www.easterhegg2003.hamburg.ccc.de
-    url: "https://www.easterhegg2003.hamburg.ccc.de"
-    <<: *easterhegg_websites_redirects_defaults
-    conditions:
-      - "[STATUS] == 200"
-      - "[CERTIFICATE_EXPIRATION] > 48h"
-      - "[BODY] == pat(*Easter(h)egg 2003*)"
-
-  # eh05.easterhegg.eu
-  - name: eh2005.hamburg.ccc.de
-    url: "https://eh2005.hamburg.ccc.de"
-    <<: *easterhegg_websites_redirects_defaults
-    conditions:
-      - "[STATUS] == 200"
-      - "[CERTIFICATE_EXPIRATION] > 48h"
-      - "[BODY] == pat(*Easterhegg 2005 - The workshop weekend*)"
-
-  - name: www.eh2005.hamburg.ccc.de
-    url: "https://www.eh2005.hamburg.ccc.de"
-    <<: *easterhegg_websites_redirects_defaults
-    conditions:
-      - "[STATUS] == 200"
-      - "[CERTIFICATE_EXPIRATION] > 48h"
-      - "[BODY] == pat(*Easterhegg 2005 - The workshop weekend*)"
-
-  - name: easterhegg2005.hamburg.ccc.de
-    url: "https://easterhegg2005.hamburg.ccc.de"
-    <<: *easterhegg_websites_redirects_defaults
-    conditions:
-      - "[STATUS] == 200"
-      - "[CERTIFICATE_EXPIRATION] > 48h"
-      - "[BODY] == pat(*Easterhegg 2005 - The workshop weekend*)"
-
-  - name: www.easterhegg2005.hamburg.ccc.de
-    url: "https://www.easterhegg2005.hamburg.ccc.de"
-    <<: *easterhegg_websites_redirects_defaults
-    conditions:
-      - "[STATUS] == 200"
-      - "[CERTIFICATE_EXPIRATION] > 48h"
-      - "[BODY] == pat(*Easterhegg 2005 - The workshop weekend*)"
-
-  # eh07.easterhegg.eu
-  - name: eh2007.hamburg.ccc.de
-    url: "https://eh2007.hamburg.ccc.de"
-    <<: *easterhegg_websites_redirects_defaults
-    conditions:
-      - "[STATUS] == 200"
-      - "[CERTIFICATE_EXPIRATION] > 48h"
-      - "[BODY] == pat(*Easterhegg 2007 - The Workshop weekend*)"
-
-  - name: www.eh2007.hamburg.ccc.de
-    url: "https://www.eh2007.hamburg.ccc.de"
-    <<: *easterhegg_websites_redirects_defaults
-    conditions:
-      - "[STATUS] == 200"
-      - "[CERTIFICATE_EXPIRATION] > 48h"
-      - "[BODY] == pat(*Easterhegg 2007 - The Workshop weekend*)"
-
-  - name: eh07.hamburg.ccc.de
-    url: "https://eh07.hamburg.ccc.de"
-    <<: *easterhegg_websites_redirects_defaults
-    conditions:
-      - "[STATUS] == 200"
-      - "[CERTIFICATE_EXPIRATION] > 48h"
-      - "[BODY] == pat(*Easterhegg 2007 - The Workshop weekend*)"
-
-  - name: www.eh07.hamburg.ccc.de
-    url: "https://www.eh07.hamburg.ccc.de"
-    <<: *easterhegg_websites_redirects_defaults
-    conditions:
-      - "[STATUS] == 200"
-      - "[CERTIFICATE_EXPIRATION] > 48h"
-      - "[BODY] == pat(*Easterhegg 2007 - The Workshop weekend*)"
-
-  - name: easterhegg2007.hamburg.ccc.de
-    url: "https://easterhegg2007.hamburg.ccc.de"
-    <<: *easterhegg_websites_redirects_defaults
-    conditions:
-      - "[STATUS] == 200"
-      - "[CERTIFICATE_EXPIRATION] > 48h"
-      - "[BODY] == pat(*Easterhegg 2007 - The Workshop weekend*)"
-
-  - name: www.easterhegg2007.hamburg.ccc.de
-    url: "https://www.easterhegg2007.hamburg.ccc.de"
-    <<: *easterhegg_websites_redirects_defaults
-    conditions:
-      - "[STATUS] == 200"
-      - "[CERTIFICATE_EXPIRATION] > 48h"
-      - "[BODY] == pat(*Easterhegg 2007 - The Workshop weekend*)"
-
-  # eh09.easterhegg.eu
-  - name: eh2009.hamburg.ccc.de
-    url: "https://eh2009.hamburg.ccc.de"
-    <<: *easterhegg_websites_redirects_defaults
-    conditions:
-      - "[status] == 200"
-      - "[certificate_expiration] > 48h"
-      - "[BODY] == pat(*Easterhegg 2009*)"
-
-  - name: www.eh2009.hamburg.ccc.de
-    url: "https://www.eh2009.hamburg.ccc.de"
-    <<: *easterhegg_websites_redirects_defaults
-    conditions:
-      - "[status] == 200"
-      - "[certificate_expiration] > 48h"
-      - "[BODY] == pat(*Easterhegg 2009*)"
-
-  - name: eh09.hamburg.ccc.de
-    url: "https://eh09.hamburg.ccc.de"
-    <<: *easterhegg_websites_redirects_defaults
-    conditions:
-      - "[status] == 200"
-      - "[certificate_expiration] > 48h"
-      - "[BODY] == pat(*Easterhegg 2009*)"
-
-  - name: www.eh09.hamburg.ccc.de
-    url: "https://www.eh09.hamburg.ccc.de"
-    <<: *easterhegg_websites_redirects_defaults
-    conditions:
-      - "[status] == 200"
-      - "[certificate_expiration] > 48h"
-      - "[BODY] == pat(*Easterhegg 2009*)"
-
-  - name: easterhegg2009.hamburg.ccc.de
-    url: "https://easterhegg2009.hamburg.ccc.de"
-    <<: *easterhegg_websites_redirects_defaults
-    conditions:
-      - "[status] == 200"
-      - "[certificate_expiration] > 48h"
-      - "[BODY] == pat(*Easterhegg 2009*)"
-
-  - name: www.easterhegg2009.hamburg.ccc.de
-    url: "https://www.easterhegg2009.hamburg.ccc.de"
-    <<: *easterhegg_websites_redirects_defaults
-    conditions:
-      - "[status] == 200"
-      - "[certificate_expiration] > 48h"
-      - "[BODY] == pat(*Easterhegg 2009*)"
-
-  # eh11.easterhegg.eu
-  - name: eh2011.hamburg.ccc.de
-    url: "https://eh2011.hamburg.ccc.de"
-    <<: *easterhegg_websites_redirects_defaults
-    conditions:
-      - "[status] == 200"
-      - "[certificate_expiration] > 48h"
-      - "[BODY] == pat(*Easterhegg 2011*)"
-
-  - name: www.eh2011.hamburg.ccc.de
-    url: "https://www.eh2011.hamburg.ccc.de"
-    <<: *easterhegg_websites_redirects_defaults
-    conditions:
-      - "[status] == 200"
-      - "[certificate_expiration] > 48h"
-      - "[BODY] == pat(*Easterhegg 2011*)"
-
-  - name: eh11.hamburg.ccc.de
-    url: "https://eh11.hamburg.ccc.de"
-    <<: *easterhegg_websites_redirects_defaults
-    conditions:
-      - "[status] == 200"
-      - "[certificate_expiration] > 48h"
-      - "[BODY] == pat(*Easterhegg 2011*)"
-
-  - name: www.eh11.hamburg.ccc.de
-    url: "https://www.eh11.hamburg.ccc.de"
-    <<: *easterhegg_websites_redirects_defaults
-    conditions:
-      - "[status] == 200"
-      - "[certificate_expiration] > 48h"
-      - "[BODY] == pat(*Easterhegg 2011*)"
-
-  - name: easterhegg2011.hamburg.ccc.de
-    url: "https://easterhegg2011.hamburg.ccc.de"
-    <<: *easterhegg_websites_redirects_defaults
-    conditions:
-      - "[status] == 200"
-      - "[certificate_expiration] > 48h"
-      - "[BODY] == pat(*Easterhegg 2011*)"
-
-  - name: www.easterhegg2011.hamburg.ccc.de
-    url: "https://www.easterhegg2011.hamburg.ccc.de"
-    <<: *easterhegg_websites_redirects_defaults
-    conditions:
-      - "[status] == 200"
-      - "[certificate_expiration] > 48h"
-      - "[BODY] == pat(*Easterhegg 2011*)"
-
-  # eh20.easterhegg.eu
-  - name: www.eh20.easterhegg.eu
-    url: "https://www.eh20.easterhegg.eu"
-    <<: *easterhegg_websites_redirects_defaults
-    conditions:
-      - "[status] == 200"
-      - "[certificate_expiration] > 48h"
-      - "[BODY] == pat(*EH20 - Back to root*)"
-
-  - name: eh20.hamburg.ccc.de
-    url: "https://eh20.hamburg.ccc.de"
-    <<: *easterhegg_websites_redirects_defaults
-    conditions:
-      - "[status] == 200"
-      - "[certificate_expiration] > 48h"
-      - "[BODY] == pat(*EH20 - Back to root*)"

resources/external/status/docker_compose/config/general.yaml

@@ -1,27 +0,0 @@
-storage:
-  type: postgres
-  path: "postgres://${POSTGRES_USER}:${POSTGRES_PASSWORD}@database:5432/${POSTGRES_DB}?sslmode=disable"
-  maximum-number-of-results: 240 # Default are 100. 240 are 4h for 1m interval checks.
-  maximum-number-of-events: 1000 # Default are 50. Let's keep a long history here - 1000 should suffice for a year with around 3 events a day.
-
-ui:
-  title: CCCHH Status
-  description: Automated uptime monitoring and status page for CCCHH services. Powered by Gatus.
-  header: CCCHH Status
-  buttons:
-    - name: Website
-      link: "https://hamburg.ccc.de"
-    - name: Git
-      link: "https://git.hamburg.ccc.de"
-    - name: Kontakt & Impressum
-      link: "https://hamburg.ccc.de/imprint/"
-  default-sort-by: group
-
-alerting:
-  matrix:
-    server-url: "https://matrix.nekover.se"
-    access-token: "${MATRIX_ACCESS_TOKEN}"
-    internal-room-id: "!jG755onbGAH-lZsZo8SRKtlsncSMvq7nzPhwCi5CgdQ"
-
-# A bit more than the default 5 concurrent checks should be fine.
-concurrency: 15

resources/external/status/docker_compose/config/services-chaosknoten.yaml

@@ -1,264 +0,0 @@
-# Services (Chaosknoten)
-services-chaosknoten-defaults: &services_chaosknoten_defaults
-  group: Services (Chaosknoten)
-  interval: 1m
-  alerts:
-    - type: matrix
-      failure-threshold: 5
-      success-threshold: 2
-      minimum-reminder-interval: "6h"
-      send-on-resolved: true
-
-endpoints:
-  - name: CCCHH ID/Keycloak (main page/account console)
-    url: "https://id.hamburg.ccc.de/"
-    <<: *services_chaosknoten_defaults
-    conditions:
-      - "[STATUS] == 200"
-      - "[CERTIFICATE_EXPIRATION] > 48h"
-      - "[BODY] == pat(*JavaScript is required to use the Account Console.*)"
-
-  - name: CCCHH ID/Keycloak (ccchh realm)
-    url: "https://id.hamburg.ccc.de/realms/ccchh/"
-    <<: *services_chaosknoten_defaults
-    conditions:
-      - "[STATUS] == 200"
-      - "[CERTIFICATE_EXPIRATION] > 48h"
-      - "[BODY].realm == ccchh"
-
-  - name: ccchoir
-    url: "https://ccchoir.de/"
-    <<: *services_chaosknoten_defaults
-    conditions:
-      - "[STATUS] == 200"
-      - "[CERTIFICATE_EXPIRATION] > 48h"
-      - "[BODY] == pat(*The Choir of the Chaos Computer Club*)"
-
-  - name: Cloud (status info)
-    url: "https://cloud.hamburg.ccc.de/status.php"
-    <<: *services_chaosknoten_defaults
-    conditions:
-      - "[STATUS] == 200"
-      - "[CERTIFICATE_EXPIRATION] > 48h"
-      - "[BODY].installed == true"
-      - "[BODY].maintenance == false"
-
-  - name: Cloud (main page/login)
-    url: "https://cloud.hamburg.ccc.de/"
-    <<: *services_chaosknoten_defaults
-    conditions:
-      - "[STATUS] == 200"
-      - "[CERTIFICATE_EXPIRATION] > 48h"
-      - "[BODY] == pat(*Sign in to CCCHH*)"
-
-  - name: cow (main page/login)
-    url: "https://cow.hamburg.ccc.de/"
-    <<: *services_chaosknoten_defaults
-    conditions:
-      - "[STATUS] == 200"
-      - "[CERTIFICATE_EXPIRATION] > 48h"
-      - "[BODY] == pat(*mailcow UI*)"
-
-  - name: cow (SMTP port 25)
-    url: "tcp://cow.hamburg.ccc.de:25"
-    <<: *services_chaosknoten_defaults
-    conditions:
-      - "[CONNECTED] == true"
-
-  - name: cow (SMTPS port 465)
-    url: "tls://cow.hamburg.ccc.de:465"
-    <<: *services_chaosknoten_defaults
-    conditions:
-      - "[CONNECTED] == true"
-
-  - name: cow (SMTP with STARTTLS port 587)
-    url: "starttls://cow.hamburg.ccc.de:587"
-    <<: *services_chaosknoten_defaults
-    conditions:
-      - "[CONNECTED] == true"
-
-  - name: cow (IMAP port 143)
-    url: "tcp://cow.hamburg.ccc.de:143"
-    <<: *services_chaosknoten_defaults
-    conditions:
-      - "[CONNECTED] == true"
-
-  - name: cow (IMAPS port 465)
-    url: "tls://cow.hamburg.ccc.de:465"
-    <<: *services_chaosknoten_defaults
-    conditions:
-      - "[CONNECTED] == true"
-
-  - name: Design/penpot
-    url: "https://design.hamburg.ccc.de/"
-    <<: *services_chaosknoten_defaults
-    conditions:
-      - "[STATUS] == 200"
-      - "[CERTIFICATE_EXPIRATION] > 48h"
-      - "[BODY] == pat(*Penpot - Design Freedom for Teams*)"
-
-  - name: EH22 Website/Wiki
-    url: "https://eh22.easterhegg.eu/"
-    <<: *services_chaosknoten_defaults
-    conditions:
-      - "[STATUS] == 200"
-      - "[CERTIFICATE_EXPIRATION] > 48h"
-      - "[BODY] == pat(*Easterhegg 2025*)"
-
-  - name: Git
-    url: "https://git.hamburg.ccc.de/"
-    <<: *services_chaosknoten_defaults
-    conditions:
-      - "[STATUS] == 200"
-      - "[CERTIFICATE_EXPIRATION] > 48h"
-      - "[BODY] == pat(*CCCHH Git*)"
-
-  - name: GitLab
-    url: "https://gitlab.hamburg.ccc.de/"
-    <<: *services_chaosknoten_defaults
-    conditions:
-      - "[STATUS] == 200"
-      - "[CERTIFICATE_EXPIRATION] > 48h"
-      - "[BODY] == pat(*Moin beim Gitlab des CCC Hamburg!*)"
-
-  - name: Grafana
-    url: "https://grafana.hamburg.ccc.de/"
-    <<: *services_chaosknoten_defaults
-    conditions:
-      - "[STATUS] == 200"
-      - "[CERTIFICATE_EXPIRATION] > 48h"
-      - "[BODY] == pat(*Sign in to CCCHH*)"
-
-  - name: Jitsi
-    url: "https://jitsi.hamburg.ccc.de/"
-    <<: *services_chaosknoten_defaults
-    conditions:
-      - "[STATUS] == 200"
-      - "[CERTIFICATE_EXPIRATION] > 48h"
-      - "[BODY] == pat(*Jitsi Meet*)"
-
-  - name: Lists
-    url: "https://lists.hamburg.ccc.de/"
-    <<: *services_chaosknoten_defaults
-    conditions:
-      - "[STATUS] == 200"
-      - "[CERTIFICATE_EXPIRATION] > 48h"
-      - "[BODY] == pat(*Mailing Lists*)"
-
-  - name: Matrix
-    url: "https://matrix.hamburg.ccc.de/_matrix/client/versions"
-    <<: *services_chaosknoten_defaults
-    conditions:
-      - "[STATUS] == 200"
-      - "[CERTIFICATE_EXPIRATION] > 48h"
-      - "has([BODY].versions) == true"
-      - "has([BODY].unstable_features) == true"
-
-  - name: Mumble (tcp)
-    url: "tcp://mumble.hamburg.ccc.de:64738"
-    <<: *services_chaosknoten_defaults
-    conditions:
-      - "[CONNECTED] == true"
-
-  - name: Mumble (udp)
-    url: "udp://mumble.hamburg.ccc.de:64738"
-    <<: *services_chaosknoten_defaults
-    conditions:
-      - "[CONNECTED] == true"
-
-  - name: NetBox
-    url: "https://NetBox.hamburg.ccc.de/"
-    <<: *services_chaosknoten_defaults
-    conditions:
-      - "[STATUS] == 200"
-      - "[CERTIFICATE_EXPIRATION] > 48h"
-      - "[BODY] == pat(*NetBox*)"
-
-  - name: ntfy
-    url: "https://ntfy.hamburg.ccc.de/"
-    <<: *services_chaosknoten_defaults
-    conditions:
-      - "[STATUS] == 200"
-      - "[CERTIFICATE_EXPIRATION] > 48h"
-      - "[BODY] == pat(*ntfy web requires JavaScript*)"
-
-  - name: OnlyOffice
-    url: "https://onlyoffice.hamburg.ccc.de/"
-    <<: *services_chaosknoten_defaults
-    conditions:
-      - "[STATUS] == 200"
-      - "[CERTIFICATE_EXPIRATION] > 48h"
-      - "[BODY] == pat(*ONLYOFFICE Docs Community Edition installed*)"
-
-  - name: Pad
-    url: "https://pad.hamburg.ccc.de/"
-    <<: *services_chaosknoten_defaults
-    conditions:
-      - "[STATUS] == 200"
-      - "[CERTIFICATE_EXPIRATION] > 48h"
-      - "[BODY] == pat(*HedgeDoc - Ideas grow better together*)"
-
-  - name: Pretalx (main page)
-    url: "https://pretalx.hamburg.ccc.de/"
-    <<: *services_chaosknoten_defaults
-    conditions:
-      - "[STATUS] == 200"
-      - "[CERTIFICATE_EXPIRATION] > 48h"
-      - "[BODY] == pat(*pretalx*)"
-
-  - name: Pretalx (EH22/Easterhegg 2025)
-    url: "https://cfp.eh22.easterhegg.eu/"
-    <<: *services_chaosknoten_defaults
-    conditions:
-      - "[STATUS] == 200"
-      - "[CERTIFICATE_EXPIRATION] > 48h"
-      - "[BODY] == pat(*Easterhegg 2025*)"
-      - "[BODY] == pat(*pretalx*)"
-
-  - name: SpaceAPI
-    url: "https://spaceapi.hamburg.ccc.de/"
-    <<: *services_chaosknoten_defaults
-    conditions:
-      - "[STATUS] == 200"
-      - "[CERTIFICATE_EXPIRATION] > 48h"
-      - "[BODY].space == CCCHH"
-
-  - name: Surveillance under Surveillance
-    url: "https://sunders.hamburg.ccc.de/"
-    <<: *services_chaosknoten_defaults
-    conditions:
-      - "[STATUS] == 200"
-      - "[CERTIFICATE_EXPIRATION] > 48h"
-      - "[BODY] == pat(*Surveillance under Surveillance*)"
-
-  - name: Tickets/pretix
-    url: "https://tickets.hamburg.ccc.de/"
-    <<: *services_chaosknoten_defaults
-    conditions:
-      - "[STATUS] == 200"
-      - "[CERTIFICATE_EXPIRATION] > 48h"
-      - "[BODY] == pat(*pretix*)"
-
-  - name: Wiki
-    url: "https://wiki.hamburg.ccc.de/"
-    <<: *services_chaosknoten_defaults
-    conditions:
-      - "[STATUS] == 200"
-      - "[CERTIFICATE_EXPIRATION] > 48h"
-      - "[BODY] == pat(*CCCHH Wiki*)"
-
-  - name: Woodpecker
-    url: "https://woodpecker.hamburg.ccc.de/"
-    <<: *services_chaosknoten_defaults
-    conditions:
-      - "[STATUS] == 200"
-      - "[CERTIFICATE_EXPIRATION] > 48h"
-      - "[BODY] == pat(*Woodpecker*)"
-
-  - name: Zammad
-    url: "https://zammad.hamburg.ccc.de/"
-    <<: *services_chaosknoten_defaults
-    conditions:
-      - "[STATUS] == 200"
-      - "[CERTIFICATE_EXPIRATION] > 48h"
-      - "[BODY] == pat(*zammad*)"

resources/external/status/docker_compose/config/sites.yaml

@@ -1,23 +0,0 @@
-# Sites
-sites-defaults: &sites_defaults
-  group: Sites
-  interval: 1m
-  alerts:
-    - type: matrix
-      failure-threshold: 5
-      success-threshold: 2
-      minimum-reminder-interval: "6h"
-      send-on-resolved: true
-
-endpoints:
-  - name: Chaosknoten/IRZ42
-    url: "icmp://chaosknoten.hamburg.ccc.de"
-    <<: *sites_defaults
-    conditions:
-      - "[CONNECTED] == true"
-
-  - name: Z9
-    url: "icmp://185.161.129.129"
-    <<: *sites_defaults
-    conditions:
-      - "[CONNECTED] == true"

resources/external/status/docker_compose/config/websites.yaml

@@ -1,174 +0,0 @@
-# Websites, Websites (Staging) and Websites (Redirects)
-# (hosted on public-web-static)
-# One could probably also generate this list from the public-web-static config.
-websites-defaults: &websites_defaults
-  group: Websites
-  interval: 1m
-  alerts:
-    - type: matrix
-      failure-threshold: 5
-      success-threshold: 2
-      minimum-reminder-interval: "6h"
-      send-on-resolved: true
-
-websites-staging-defaults: &websites_staging_defaults
-  group: Websites (Staging)
-  interval: 5m
-  alerts:
-    - type: matrix
-      failure-threshold: 3
-      success-threshold: 1
-      minimum-reminder-interval: "24h"
-      send-on-resolved: true
-
-websites-redirects-defaults: &websites_redirects_defaults
-  group: Websites (Redirects)
-  interval: 5m
-  alerts:
-    - type: matrix
-      failure-threshold: 3
-      success-threshold: 1
-      minimum-reminder-interval: "24h"
-      send-on-resolved: true
-
-endpoints:
-  # Websites
-  - name: branding-resources.hamburg.ccc.de
-    url: "https://branding-resources.hamburg.ccc.de/logo/sources.txt"
-    <<: *websites_defaults
-    conditions:
-      - "[STATUS] == 200"
-      - "[CERTIFICATE_EXPIRATION] > 48h"
-      - "[BODY] == pat(*file:       ccchh-logo.png*)"
-
-  - name: c3cat.de
-    url: "https://c3cat.de"
-    <<: *websites_defaults
-    conditions:
-      - "[STATUS] == 200"
-      - "[CERTIFICATE_EXPIRATION] > 48h"
-      - "[BODY] == pat(*Cat Ears Operation Center*)"
-
-  - name: cryptoparty-hamburg.de
-    url: "https://cryptoparty-hamburg.de"
-    <<: *websites_defaults
-    conditions:
-      - "[STATUS] == 200"
-      - "[CERTIFICATE_EXPIRATION] > 48h"
-      - "[BODY] == pat(*Digitale Selbstverteidigung in Hamburg*)"
-
-  - name: element-admin.hamburg.ccc.de
-    url: "https://element-admin.hamburg.ccc.de"
-    <<: *websites_defaults
-    conditions:
-      - "[STATUS] == 200"
-      - "[CERTIFICATE_EXPIRATION] > 48h"
-      - "[BODY] == pat(*Loading Element Admin*)"
-
-  - name: element.hamburg.ccc.de
-    url: "https://element.hamburg.ccc.de"
-    <<: *websites_defaults
-    conditions:
-      - "[STATUS] == 200"
-      - "[CERTIFICATE_EXPIRATION] > 48h"
-      - "[BODY] == pat(*Sorry, Element requires JavaScript to be enabled.*)"
-
-  - name: hacker.tours
-    url: "https://hacker.tours"
-    <<: *websites_defaults
-    conditions:
-      - "[STATUS] == 200"
-      - "[CERTIFICATE_EXPIRATION] > 48h"
-      # Once suites support alerting, we can also monitor the target as well.
-      - "[BODY] == pat(*<meta http-equiv=\"refresh\" content=\"0; url=https://hacker.tours/de/\">*)"
-
-  - name: hackertours.hamburg.ccc.de
-    url: "https://hackertours.hamburg.ccc.de"
-    <<: *websites_defaults
-    conditions:
-      - "[STATUS] == 200"
-      - "[CERTIFICATE_EXPIRATION] > 48h"
-      # Once suites support alerting, we can also monitor the target as well.
-      - "[BODY] == pat(*<meta http-equiv=\"refresh\" content=\"0; url=https://hackertours.hamburg.ccc.de/de/\">*)"
-
-  - name: hamburg.ccc.de
-    url: "https://hamburg.ccc.de"
-    <<: *websites_defaults
-    conditions:
-      - "[STATUS] == 200"
-      - "[CERTIFICATE_EXPIRATION] > 48h"
-      - "[BODY] == pat(*Wir sind der Chaos Computer Club der Hansestadt Hamburg.*)"
-
-# Websites (Staging)
-  - name: staging.c3cat.de
-    url: "https://staging.c3cat.de"
-    <<: *websites_staging_defaults
-    conditions:
-      - "[STATUS] == 200"
-      - "[CERTIFICATE_EXPIRATION] > 48h"
-      - "[BODY] == pat(*c3cat.de Staging Environment*)"
-
-  - name: staging.cryptoparty-hamburg.de
-    url: "https://staging.cryptoparty-hamburg.de"
-    <<: *websites_staging_defaults
-    conditions:
-      - "[STATUS] == 200"
-      - "[CERTIFICATE_EXPIRATION] > 48h"
-      - "[BODY] == pat(*cryptoparty-hamburg.de Staging Environment*)"
-
-  - name: staging.hacker.tours
-    url: "https://staging.hacker.tours"
-    <<: *websites_staging_defaults
-    conditions:
-      - "[STATUS] == 200"
-      - "[CERTIFICATE_EXPIRATION] > 48h"
-      - "[BODY] == pat(*hacker.tours Staging Environment*)"
-
-  - name: staging.hackertours.hamburg.ccc.de
-    url: "https://staging.hackertours.hamburg.ccc.de"
-    <<: *websites_staging_defaults
-    conditions:
-      - "[STATUS] == 200"
-      - "[CERTIFICATE_EXPIRATION] > 48h"
-      - "[BODY] == pat(*hackertours.hamburg.ccc.de Staging Environment*)"
-
-  - name: staging.hamburg.ccc.de
-    url: "https://staging.hamburg.ccc.de"
-    <<: *websites_staging_defaults
-    conditions:
-      - "[STATUS] == 200"
-      - "[CERTIFICATE_EXPIRATION] > 48h"
-      - "[BODY] == pat(*hamburg.ccc.de Staging Environment*)"
-
-# Website (Redirects)
-  - name: www.c3cat.de
-    url: "https://www.c3cat.de"
-    <<: *websites_redirects_defaults
-    conditions:
-      - "[STATUS] == 200"
-      - "[CERTIFICATE_EXPIRATION] > 48h"
-      - "[BODY] == pat(*Cat Ears Operation Center*)"
-
-  - name: cryptoparty.hamburg.ccc.de
-    url: "https://cryptoparty.hamburg.ccc.de"
-    <<: *websites_redirects_defaults
-    conditions:
-      - "[STATUS] == 200"
-      - "[CERTIFICATE_EXPIRATION] > 48h"
-      - "[BODY] == pat(*Digitale Selbstverteidigung in Hamburg*)"
-
-  - name: staging.cryptoparty.hamburg.ccc.de
-    url: "https://staging.cryptoparty.hamburg.ccc.de"
-    <<: *websites_redirects_defaults
-    conditions:
-      - "[STATUS] == 200"
-      - "[CERTIFICATE_EXPIRATION] > 48h"
-      - "[BODY] == pat(*cryptoparty-hamburg.de Staging Environment*)"
-
-  - name: www.hamburg.ccc.de
-    url: "https://www.hamburg.ccc.de"
-    <<: *websites_redirects_defaults
-    conditions:
-      - "[STATUS] == 200"
-      - "[CERTIFICATE_EXPIRATION] > 48h"
-      - "[BODY] == pat(*Wir sind der Chaos Computer Club der Hansestadt Hamburg.*)"

resources/external/status/nginx/http_handler.conf

@@ -1,14 +0,0 @@
-server {
-    listen 80 default_server;
-    listen [::]:80 default_server;
-
-    server_name status.hamburg.ccc.de;
-
-    location / {
-        return 301 https://$host$request_uri;
-    }
-
-    location /.well-known/acme-challenge/ {
-        proxy_pass http://127.0.0.1:31820/.well-known/acme-challenge/;
-    }
-}

resources/external/status/nginx/status.hamburg.ccc.de.conf

@@ -1,33 +0,0 @@
-# partly generated 2022-01-08, Mozilla Guideline v5.6, nginx 1.17.7, OpenSSL 1.1.1k, intermediate configuration
-# https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6
-server {
-    listen 443 ssl http2 default_server;
-    listen [::]:443 ssl http2 default_server;
-
-    server_name status.hamburg.ccc.de;
-
-    ssl_certificate /etc/letsencrypt/live/status.hamburg.ccc.de/fullchain.pem;
-    ssl_certificate_key /etc/letsencrypt/live/status.hamburg.ccc.de/privkey.pem;
-    # verify chain of trust of OCSP response using Root CA and Intermediate certs
-    ssl_trusted_certificate /etc/letsencrypt/live/status.hamburg.ccc.de/chain.pem;
-
-    # HSTS (ngx_http_headers_module is required) (63072000 seconds)
-    add_header Strict-Transport-Security "max-age=63072000" always;
-
-    proxy_set_header Host $host;
-    proxy_set_header X-Forwarded-Host $host;
-    proxy_set_header X-Real-IP $remote_addr;
-    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-    proxy_set_header X-Forwarded-Port 443;
-    # This is https in any case.
-    proxy_set_header X-Forwarded-Proto https;
-    # Hide the X-Forwarded header.
-    proxy_hide_header X-Forwarded;
-    # Assume we are the only Reverse Proxy.
-    # Also provide "_hidden" for by, since it's not relevant.
-    proxy_set_header Forwarded "for=$remote_addr;proto=https;host=$host;by=_hidden";
-
-    location / {
-        proxy_pass http://127.0.0.1:8080/;
-    }
-}

resources/z9/dooris/nginx/http_handler.conf

@@ -1,12 +0,0 @@
-server {
-    listen 80 default_server;
-    listen [::]:80 default_server;
-
-    location / {
-        return 301 https://$host$request_uri;
-    }
-
-    location /.well-known/acme-challenge/ {
-        proxy_pass http://127.0.0.1:31820/.well-known/acme-challenge/;
-    }
-}

roles/alloy/defaults/main.yaml

@@ -1,44 +0,0 @@
-alloy_config_default: |
-  prometheus.remote_write "default" {
-    endpoint {
-      url = "https://metrics.hamburg.ccc.de/api/v1/write"
-      basic_auth {
-        username = "chaos"
-        password = "{{ metrics__chaos_password }}"
-      }
-    }
-  }
-
-  prometheus.relabel "chaosknoten_common" {
-    forward_to = [prometheus.remote_write.default.receiver]
-    rule {
-      target_label = "org"
-      replacement = "ccchh"
-    }
-    rule {
-      target_label = "site"
-      replacement = "wieske"
-    }
-    rule {
-      source_labels = ["instance"]
-      target_label = "instance"
-      regex  = "([^:]+)"
-      replacement = "${1}.hosts.hamburg.ccc.de"
-      action = "replace"
-    }
-  }
-
-  logging {
-    level = "info"
-  }
-
-  prometheus.exporter.unix "local_system" {
-    enable_collectors = ["systemd"]
-  }
-
-  prometheus.scrape "scrape_metrics" {
-    targets           = prometheus.exporter.unix.local_system.targets
-    forward_to        = [prometheus.relabel.chaosknoten_common.receiver]
-  }
-
-alloy_config_additional: ""

roles/alloy/tasks/main.yaml

@@ -45,6 +45,4 @@
 - name: Setup Alloy
   ansible.builtin.import_role:
     name: grafana.grafana.alloy
-  vars:
-    alloy_config: "{{ alloy_config_default ~ alloy_config_additional }}"
   become: true

roles/ansible_pull/tasks/main.yaml

@@ -3,7 +3,6 @@
     - name: ensure apt dependencies are installed
       ansible.builtin.apt:
         name:
-          - python3-pip
           - virtualenv
           - git
         state: present

roles/base_config/tasks/main.yaml

@@ -1,33 +0,0 @@
-# Ensure the ssh module is disabled, so a cloud-init config change doesn't regenerate the host keys for no reason.
-- name: check if cloud-init config file exists
-  ansible.builtin.stat:
-    path: /etc/cloud/cloud.cfg
-  register: base_config__stat_cloud_cfg
-
-- name: ensure the cloud-init ssh module is disabled
-  ansible.builtin.replace:
-    path: /etc/cloud/cloud.cfg
-    regexp: " - ssh$"
-    replace: " #- ssh"
-  become: true
-  when: base_config__stat_cloud_cfg.stat.exists
-
-# Ensure a base set of admin tools is installed.
-- name: ensure a base set of admin tools is installed
-  ansible.builtin.apt:
-    name:
-      - vim
-      - joe
-      - nano
-      - htop
-      - btop
-      - ripgrep
-      - fd-find
-      - tmux
-      - git
-      - curl
-      - rsync
-      - dnsutils
-      - usbutils
-      - kitty
-  become: true

roles/certbot/meta/main.yaml

@@ -7,4 +7,3 @@ dependencies:
           major_versions:
             - 11
             - 12
-            - 13

roles/docker/meta/main.yaml

@@ -7,4 +7,3 @@ dependencies:
           major_versions:
             - 11
             - 12
-            - 13

roles/dokuwiki/meta/main.yml

@@ -7,4 +7,3 @@ dependencies:
           major_versions:
             - 11
             - 12
-            - 13

roles/netbox/files/custom_pipeline_oidc_group_and_role_mapping.py

@@ -40,6 +40,7 @@ def remove_groups(response, user, backend, *args, **kwargs):
 def set_roles(response, user, backend, *args, **kwargs):
     # Remove Roles temporary
     user.is_superuser = False
+    user.is_staff = False
     try:
         groups = response['groups']
     except KeyError:
@@ -50,4 +51,5 @@ def set_roles(response, user, backend, *args, **kwargs):
 
     # Set roles is role (superuser or staff) is in groups
     user.is_superuser = True if 'superusers' in groups else False
+    user.is_staff = True if 'staff' in groups else False
     user.save()

roles/nginx/meta/main.yaml

@@ -7,4 +7,3 @@ dependencies:
           major_versions:
             - "11"
             - "12"
-            - "13"

roles/prometheus_node_exporter/meta/main.yaml

@@ -0,0 +1,9 @@
+---
+dependencies:
+  - role: distribution_check
+    vars:
+      distribution_check__distribution_support_spec:
+        - name: Debian
+          major_versions:
+            - "11"
+            - "12"

roles/prometheus_node_exporter/tasks/main.yaml

@@ -0,0 +1,14 @@
+- name: make sure the `prometheus-node-exporter` package is installed
+  ansible.builtin.apt:
+    name: prometheus-node-exporter
+    state: present
+    allow_change_held_packages: true
+    update_cache: true
+  become: true
+
+- name: make sure `prometheus-node-exporter.service` is started and ansibled
+  ansible.builtin.systemd:
+    name: prometheus-node-exporter.service
+    state: started
+    enabled: true
+  become: true

roles/systemd_networkd/README.md

@@ -9,8 +9,3 @@ Should work on Debian-based distributions.
 ## Required Arguments
 
 - `systemd_networkd__config_dir`: Directory with systemd-networkd configs to deploy.
-
-## Optional Arguments
-
-- `systemd_networkd__global_config`: systemd-networkd global configuration to deploy (see `man 5 networkd.conf`).  
-  Defaults to `` (the empty string);

roles/systemd_networkd/defaults/main.yaml

@@ -1 +0,0 @@
-systemd_networkd__global_config: ""

roles/systemd_networkd/tasks/main.yaml

@@ -12,21 +12,3 @@
     recursive: true
     delete: true
   become: true
-
-- name: ensure global systemd-networkd config directory exists
-  ansible.builtin.file:
-    path: "/etc/systemd/networkd.conf.d"
-    state: directory
-    owner: root
-    group: root
-    mode: "0755"
-  become: true
-
-- name: ensure global systemd-networkd config is deployed
-  ansible.builtin.copy:
-    content: "{{ systemd_networkd__global_config }}"
-    dest: "/etc/systemd/networkd.conf.d/20-ansible.conf"
-    mode: "0644"
-    owner: root
-    group: root
-  become: true